Description
Incorrect Privilege Assignment vulnerability in designthemes LMS Elementor Pro lms-elementor-pro allows Privilege Escalation.This issue affects LMS Elementor Pro: from n/a through <= 1.0.4.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an incorrect privilege assignment flaw in the LMS Elementor Pro WordPress plugin. It allows an attacker to elevate their access level within the WordPress installation, potentially giving them higher permissions than intended. This weakness is classified as CWE‑266. The impact is that an attacker with limited or even guest access could gain administrator capabilities, compromising the site’s confidentiality, integrity, and availability.

Affected Systems

All installations of the designthemes LMS Elementor Pro plugin with version 1.0.4 or earlier are affected. No other versions or separate products are listed as impacted.

Risk and Exploitability

The CVSS score of 9.8 signals a critical severity. The EPSS score of less than 1 % indicates a low probability of exploitation at the moment, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector likely involves the plugin’s administrative interface, where an attacker with some level of authenticated or even unauthenticated access could manipulate user data to elevate privileges. Once escalated, the attacker can perform any action allowed to an admin, such as installing additional plugins, modifying site settings, or accessing sensitive user information.

Generated by OpenCVE AI on April 15, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LMS Elementor Pro to the latest version (1.0.5 or newer) to remove the privilege escalation flaw.
  • If an upgrade is not immediately feasible, disable the plugin until a patch is applied to prevent exploitation.
  • Monitor WordPress audit logs for any unauthorized account changes or privilege escalation activities and investigate promptly.

Generated by OpenCVE AI on April 15, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Designthemes
Designthemes lms Elementor Pro
Wordpress
Wordpress wordpress
Vendors & Products Designthemes
Designthemes lms Elementor Pro
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in designthemes LMS Elementor Pro lms-elementor-pro allows Privilege Escalation.This issue affects LMS Elementor Pro: from n/a through <= 1.0.4.
Title WordPress LMS Elementor Pro plugin <= 1.0.4 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

Designthemes Lms Elementor Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:17.673Z

Reserved: 2026-02-25T12:12:49.961Z

Link: CVE-2026-27983

cve-icon Vulnrichment

Updated: 2026-03-06T18:41:34.502Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:30.370

Modified: 2026-03-06T19:16:18.573

Link: CVE-2026-27983

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:30:17Z

Weaknesses