Description
Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Creator LMS: from n/a through <= 1.1.12.
Published: 2026-01-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Resource Access
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from missing authorization checks within the Creator LMS plugin, allowing actors to exploit incorrectly configured access control levels. Attackers can read or alter content that should be protected, such as course materials, user progress, or administrative settings. This weakness aligns with CWE-862, an Authorization Bypass.

Affected Systems

The issue affects the WordPress plugin Creator LMS from the WPFunnels vendor. All versions from the initial release up to and including 1.1.12 are impacted. Site owners using any of these releases are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 marks it as a moderate severity flaw. The EPSS score is below 1%, indicating a low likelihood of exploitation, and it is not listed in the CISA KEV catalog. Likely exploitation occurs via the web interface of the plugin, potentially requiring authenticated or unauthenticated access depending on the site’s configuration.

Generated by OpenCVE AI on April 27, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Creator LMS plugin to a version later than 1.1.12, or uninstall it if no update is available.
  • Restrict the plugin’s administrative routes to administrator roles only and review any custom capabilities that may grant broader access.
  • Audit existing content and user data for unauthorized changes and rotate credentials for any accounts that might have been compromised.

Generated by OpenCVE AI on April 27, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 13 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpfunnels
Wpfunnels creator Lms
Vendors & Products Wordpress
Wordpress wordpress
Wpfunnels
Wpfunnels creator Lms

Tue, 06 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Creator LMS: from n/a through <= 1.1.12.
Title WordPress Creator LMS plugin <= 1.1.12 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wpfunnels Creator Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:38.782Z

Reserved: 2025-12-31T20:12:32.245Z

Link: CVE-2025-69359

cve-icon Vulnrichment

Updated: 2026-01-13T14:15:59.280Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T17:15:48.440

Modified: 2026-04-27T19:16:43.067

Link: CVE-2025-69359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:00:16Z

Weaknesses