Skip to main content

Creator Lms EUVDEUVD-2026-15899

| CVE-2026-32530 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-03-25 Patchstack GHSA-vj36-gx8h-q66m
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15899
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
HIGH 8.8

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through <= 1.1.18.

AnalysisAI

An Incorrect Privilege Assignment vulnerability exists in WPFunnels Creator LMS plugin (versions up to and including 1.1.18) that allows authenticated or unauthenticated attackers to escalate their privileges within the application. This CWE-266 flaw enables attackers to gain unauthorized administrative or elevated access, potentially compromising the entire LMS installation and user data. While CVSS and EPSS scores are not yet publicly available, the privilege escalation nature and confirmed vulnerability status indicate significant real-world risk, particularly for WordPress installations managing educational content and user accounts.

Technical ContextAI

The vulnerability resides in the WPFunnels Creator LMS WordPress plugin, a learning management system extension for WordPress (identified via CPE cpe:2.3:a:wpfunnels:creator_lms:*:*:*:*:*:*:*:*). The root cause is classified under CWE-266 (Incorrect Privilege Assignment), which indicates the application fails to properly enforce role-based access control or permission boundaries when assigning user capabilities. Rather than a single code injection or authentication bypass flaw, this represents a logical flaw in how the plugin determines and validates user roles and permissions during runtime, likely affecting WordPress capability checks (the standard WordPress permission mechanism via wp_get_current_user_caps() or similar functions).

RemediationAI

Immediately upgrade WPFunnels Creator LMS to a version released after 1.1.18 (patch version to be confirmed via Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/creatorlms/vulnerability/wordpress-creator-lms-plugin-1-1-18-privilege-escalation-vulnerability?_s_id=cve or the official plugin repository). Perform the upgrade via WordPress Dashboard > Plugins > Updates or via WP-CLI using wp plugin update creatorlms. Until patching is complete, implement WordPress-level access controls by restricting plugin capabilities through additional role-management plugins, disabling LMS access for non-administrator users via .htaccess if possible, and auditing user account capabilities via wp-cli (wp user list-caps [user-id]) to detect privilege escalation. Monitor WordPress debug logs for unauthorized capability assignments and audit user logins immediately after patching.

Share

EUVD-2026-15899 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy