CVE-2015-10139 in WPLMS Learning Management System Plugin
Summary
by MITRE • 07/19/2025
The WPLMS theme for WordPress is vulnerable to Privilege Escalation in versions 1.5.2 to 1.8.4.1 via the 'wp_ajax_import_data' AJAX action. This makes it possible for authenticated attackers to change otherwise restricted settings and potentially create a new accessible admin account.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/16/2025
The vulnerability identified as CVE-2015-10139 affects the WPLMS WordPress theme, specifically targeting versions ranging from 1.5.2 through 1.8.4.1. This privilege escalation flaw exists within the wp_ajax_import_data AJAX action, which represents a critical security weakness in the theme's access control mechanisms. The vulnerability allows authenticated attackers to bypass normal permission checks and manipulate restricted system settings, potentially enabling them to elevate their privileges within the WordPress environment.
The technical implementation of this vulnerability stems from inadequate input validation and insufficient authorization checks within the AJAX handler. When an authenticated user submits a request through the wp_ajax_import_data endpoint, the theme fails to properly verify whether the requesting user possesses the necessary administrative privileges to perform the operations in question. This oversight creates a pathway for malicious users who have gained access to legitimate user accounts to exploit the system and perform actions that should be restricted to administrators only. The flaw specifically manifests in how the theme processes import data requests, where it does not adequately enforce role-based access controls.
From an operational perspective, this vulnerability presents significant risks to WordPress installations using the affected WPLMS theme. An authenticated attacker with minimal privileges can leverage this flaw to modify core system settings, potentially gaining access to sensitive configuration options that should remain restricted. The most concerning aspect of this vulnerability is the potential to create new administrator accounts, which would provide complete control over the WordPress installation. This capability extends beyond simple privilege escalation to enable full system compromise, making it particularly dangerous for websites that host sensitive data or serve as platforms for multiple users.
The vulnerability aligns with CWE-285, which addresses improper authorization issues in software systems, and demonstrates characteristics consistent with ATT&CK technique T1078 for valid accounts and T1548 for abuse of privileges. Organizations using the affected WPLMS theme should immediately implement mitigations including updating to the latest theme version, which contains proper access control checks, and reviewing user permissions to ensure that only trusted administrators have access to the import functionality. Additionally, implementing network-level restrictions and monitoring for unusual AJAX requests can help detect potential exploitation attempts. Security practitioners should also consider disabling the import functionality entirely if it is not required, as this eliminates the attack surface associated with the vulnerable code path.