CVE-2025-69359 MEDIUM

CVE-2025-69359: WordPress Creator LMS plugin <= 1.1.12 - Broken Access Control vulnerability

Vendor Wpfunnels
Product Creator LMS
Weakness CWE-862 · Missing authorization
Published January 6, 2026
Last update April 28, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Creator LMS: from n/a through <= 1.1.12.

Explanation of Vulnerability in Simple Terms

02Summary

Creator LMS versions up to 1.1.12 lack proper authorization checks, allowing unauthenticated attackers to disrupt service availability. The vulnerability requires no user interaction and can be exploited remotely over the network. Site administrators should update to a version newer than 1.1.12 to restore proper access controls.

What an attacker can do

03Attacker Capabilities

Disrupt service availability without authentication or user interaction.

Potential impact on your site

04Site Impact

Unauthenticated users can cause denial of service against your Creator LMS installation.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

January 6, 2026 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2025-66139 WordPress Audier For Elementor plugin <= 1.0.9 - Broken Access Control vulnerability CVE-2024-32705 WordPress ARForms plugin <= 6.4 - Subscriber+ Arbitrary Plugin Activation/Deactivation Vulnerability CVE-2024-33686 Broken Access Control vulnerability affecting multiple WordPress themes by Extend Themes CVE-2025-12783 Premmerce Brands for WooCommerce <= 1.2.13 - Missing Authorization To Authenticated (Subscriber+) Brand Permalink Settings Update CVE-2024-55408