What the vulnerability does
01Description
The WPLMS theme for WordPress is vulnerable to Privilege Escalation in versions 1.5.2 to 1.8.4.1 via the 'wp_ajax_import_data' AJAX action. This makes it possible for authenticated attackers to change otherwise restricted settings and potentially create a new accessible admin account.
Explanation of Vulnerability in Simple Terms
02Summary
The WPLMS Learning Management System plugin for WordPress versions up to 1.8.4.1 contains a privilege management flaw that allows authenticated users with low-level access to perform actions reserved for administrators. An attacker with a basic user account can read sensitive data, modify site content, or disrupt service without requiring additional interaction or elevated permissions.
What an attacker can do
03Attacker Capabilities
Read sensitive data, modify content, or disrupt the site using a low-privilege user account.
Potential impact on your site
04Site Impact
Any registered user can escalate their capabilities to perform admin-level actions, compromising data confidentiality and site integrity.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account on the site (low privilege level sufficient).
Key dates
06Disclosure timeline
July 19, 2025
CVE published
April 8, 2026
Record updated