CVE-2015-10139 HIGH

CVE-2015-10139: WPLMS Learning Management System for WordPress, WordPress LMS <= 1.8.4.1 - Privilege Escalation

Vendor Vibethemes
Product WPLMS Learning Management System for WordPress, WordPress LMS
Weakness CWE-269
Published July 19, 2025
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The WPLMS theme for WordPress is vulnerable to Privilege Escalation in versions 1.5.2 to 1.8.4.1 via the 'wp_ajax_import_data' AJAX action. This makes it possible for authenticated attackers to change otherwise restricted settings and potentially create a new accessible admin account.

Explanation of Vulnerability in Simple Terms

02Summary

The WPLMS Learning Management System plugin for WordPress versions up to 1.8.4.1 contains a privilege management flaw that allows authenticated users with low-level access to perform actions reserved for administrators. An attacker with a basic user account can read sensitive data, modify site content, or disrupt service without requiring additional interaction or elevated permissions.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify content, or disrupt the site using a low-privilege user account.

Potential impact on your site

04Site Impact

Any registered user can escalate their capabilities to perform admin-level actions, compromising data confidentiality and site integrity.

Conditions required to exploit

05Prerequisites

Attacker must have a valid user account on the site (low privilege level sufficient).

Key dates

06Disclosure timeline

July 19, 2025 CVE published
April 8, 2026 Record updated