CVE-2025-14156: CWE-20 Improper Input Validation in ays-pro Fox LMS – WordPress LMS Plugin
CVE-2025-14156 is a critical vulnerability in the Fox LMS WordPress plugin that allows unauthenticated attackers to escalate privileges by exploiting improper input validation of the 'role' parameter in the create-order REST API endpoint. Attackers can create new user accounts with arbitrary roles, including administrator, leading to full site compromise without any authentication or user interaction. This vulnerability affects all versions up to and including 1. 0. 5. 1, with a CVSS score of 9. 8, indicating a severe risk. No known exploits are currently in the wild, but the ease of exploitation and impact make it a significant threat. European organizations using this plugin in their WordPress LMS setups are at risk of data breaches, service disruption, and loss of control over their websites. Immediate patching or mitigation is critical to prevent exploitation.
AI Analysis
Technical Summary
CVE-2025-14156 is a critical security vulnerability identified in the Fox LMS plugin for WordPress, specifically affecting versions up to 1.0.5.1. The root cause is improper input validation (CWE-20) of the 'role' parameter within the REST API endpoint `/fox-lms/v1/payments/create-order`. This endpoint is intended for creating payment orders but fails to validate the 'role' parameter when creating new user accounts. As a result, an unauthenticated attacker can craft requests to this endpoint to create new users with arbitrary roles, including administrative privileges. This bypasses all authentication and authorization controls, enabling complete site takeover. The vulnerability has a CVSS v3.1 base score of 9.8, reflecting its critical nature with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no exploits have been reported in the wild yet, the vulnerability’s characteristics make it highly exploitable. The plugin is used in WordPress-based learning management systems, which often contain sensitive educational data and user information, increasing the stakes of exploitation. The lack of a patch at the time of disclosure necessitates immediate mitigation steps to prevent compromise.
Potential Impact
For European organizations, the impact of this vulnerability can be severe. Educational institutions, e-learning providers, and corporate training platforms using the Fox LMS plugin are at risk of unauthorized administrative access. Attackers could manipulate course content, exfiltrate sensitive user data including personal and payment information, disrupt LMS services, or deploy further malware and ransomware. The full site compromise could lead to reputational damage, regulatory penalties under GDPR due to data breaches, and operational downtime. Given the criticality and ease of exploitation, organizations face a high risk of rapid compromise once the vulnerability becomes widely known or exploited. The impact extends beyond the LMS to the entire WordPress site and potentially connected systems, amplifying the threat landscape for European entities relying on this plugin.
Mitigation Recommendations
Immediate mitigation involves upgrading the Fox LMS plugin to a patched version once available. Until a patch is released, organizations should implement the following specific measures: 1) Restrict access to the `/fox-lms/v1/payments/create-order` REST API endpoint using web application firewalls (WAFs) or reverse proxies to allow only trusted IP addresses or authenticated users. 2) Disable or limit REST API access for unauthenticated users via WordPress settings or plugins that control REST API permissions. 3) Monitor WordPress logs for suspicious POST requests to the vulnerable endpoint, especially those attempting to set the 'role' parameter. 4) Implement strict user role assignment policies and audit existing user accounts for unauthorized administrators. 5) Employ intrusion detection systems to detect anomalous behavior related to user creation. 6) Educate site administrators on the risk and encourage immediate action to reduce exposure. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable endpoint and attack vector.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2025-14156: CWE-20 Improper Input Validation in ays-pro Fox LMS – WordPress LMS Plugin
Description
CVE-2025-14156 is a critical vulnerability in the Fox LMS WordPress plugin that allows unauthenticated attackers to escalate privileges by exploiting improper input validation of the 'role' parameter in the create-order REST API endpoint. Attackers can create new user accounts with arbitrary roles, including administrator, leading to full site compromise without any authentication or user interaction. This vulnerability affects all versions up to and including 1. 0. 5. 1, with a CVSS score of 9. 8, indicating a severe risk. No known exploits are currently in the wild, but the ease of exploitation and impact make it a significant threat. European organizations using this plugin in their WordPress LMS setups are at risk of data breaches, service disruption, and loss of control over their websites. Immediate patching or mitigation is critical to prevent exploitation.
AI-Powered Analysis
Technical Analysis
CVE-2025-14156 is a critical security vulnerability identified in the Fox LMS plugin for WordPress, specifically affecting versions up to 1.0.5.1. The root cause is improper input validation (CWE-20) of the 'role' parameter within the REST API endpoint `/fox-lms/v1/payments/create-order`. This endpoint is intended for creating payment orders but fails to validate the 'role' parameter when creating new user accounts. As a result, an unauthenticated attacker can craft requests to this endpoint to create new users with arbitrary roles, including administrative privileges. This bypasses all authentication and authorization controls, enabling complete site takeover. The vulnerability has a CVSS v3.1 base score of 9.8, reflecting its critical nature with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no exploits have been reported in the wild yet, the vulnerability’s characteristics make it highly exploitable. The plugin is used in WordPress-based learning management systems, which often contain sensitive educational data and user information, increasing the stakes of exploitation. The lack of a patch at the time of disclosure necessitates immediate mitigation steps to prevent compromise.
Potential Impact
For European organizations, the impact of this vulnerability can be severe. Educational institutions, e-learning providers, and corporate training platforms using the Fox LMS plugin are at risk of unauthorized administrative access. Attackers could manipulate course content, exfiltrate sensitive user data including personal and payment information, disrupt LMS services, or deploy further malware and ransomware. The full site compromise could lead to reputational damage, regulatory penalties under GDPR due to data breaches, and operational downtime. Given the criticality and ease of exploitation, organizations face a high risk of rapid compromise once the vulnerability becomes widely known or exploited. The impact extends beyond the LMS to the entire WordPress site and potentially connected systems, amplifying the threat landscape for European entities relying on this plugin.
Mitigation Recommendations
Immediate mitigation involves upgrading the Fox LMS plugin to a patched version once available. Until a patch is released, organizations should implement the following specific measures: 1) Restrict access to the `/fox-lms/v1/payments/create-order` REST API endpoint using web application firewalls (WAFs) or reverse proxies to allow only trusted IP addresses or authenticated users. 2) Disable or limit REST API access for unauthenticated users via WordPress settings or plugins that control REST API permissions. 3) Monitor WordPress logs for suspicious POST requests to the vulnerable endpoint, especially those attempting to set the 'role' parameter. 4) Implement strict user role assignment policies and audit existing user accounts for unauthorized administrators. 5) Employ intrusion detection systems to detect anomalous behavior related to user creation. 6) Educate site administrators on the risk and encourage immediate action to reduce exposure. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable endpoint and attack vector.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-05T20:32:01.682Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69401ef9d9bcdf3f3de12798
Added to database: 12/15/2025, 2:45:13 PM
Last enriched: 12/15/2025, 3:00:39 PM
Last updated: 12/15/2025, 5:04:52 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-66435: n/a
UnknownCVE-2025-66434: n/a
UnknownCVE-2025-65742: n/a
UnknownCVE-2024-41260: n/a
HighCVE-2025-23184: CWE-400 Uncontrolled Resource Consumption in Apache Software Foundation Apache CXF
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.