Description
Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through <= 1.1.18.
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The WPFunnels Creator LMS plugin contains an incorrect privilege assignment bug that permits a user with lower permissions to elevate their role to administrator. This flaw enables an attacker to fully control the WordPress site, including changing settings, managing users, and publishing malicious content, thereby compromising confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects the WordPress plugin WPFunnels Creator LMS for all releases up to version 1.1.18. Earlier releases are also impacted, as the defect existed from the earliest available version through the listed limit.

Risk and Exploitability

The functionality flaw has a high severity rating of 8.8 on a 0‑10 scale, indicating substantial potential damage if exploited. The estimated probability of an exploit being used is less than one percent, and the vulnerability is not listed in the known exploited vulnerabilities catalog. An attacker must be authenticated with a non‑administrative role to use the flaw, after which they can obtain full administrative privileges. The combination of high potential impact and the requirement for user authentication means the threat is moderate to high, especially for sites where low‑level users have unrestricted privileges.

Generated by OpenCVE AI on March 26, 2026 at 16:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPFunnels Creator LMS to a version newer than 1.1.18 as soon as possible.
  • If an upgrade cannot be performed immediately, limit non‑admin users' capabilities to the minimum necessary.
  • Continuously monitor the site for unexpected role changes or unauthorized administrative activity.

Generated by OpenCVE AI on March 26, 2026 at 16:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpfunnels
Wpfunnels creator Lms
Vendors & Products Wordpress
Wordpress wordpress
Wpfunnels
Wpfunnels creator Lms

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through <= 1.1.18.
Title WordPress Creator LMS plugin <= 1.1.18 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

Wordpress Wordpress
Wpfunnels Creator Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T13:40:38.319Z

Reserved: 2026-03-12T11:12:24.776Z

Link: CVE-2026-32530

cve-icon Vulnrichment

Updated: 2026-03-26T13:38:17.382Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:06.377

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32530

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:40Z

Weaknesses