Cyber Resilience

CVE-2015-10139

HighPublic PoC

Published: 19 July 2025

Published
19 July 2025
Modified
16 December 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6772 98.6th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-10139 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Vibethemes Wordpress Learning Management System . Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2015-10139 is a privilege escalation vulnerability in the WPLMS theme for WordPress, affecting versions 1.5.2 through 1.8.4.1. The flaw exists in the 'wp_ajax_import_data' AJAX action, which enables authenticated attackers to modify otherwise restricted settings and potentially create a new accessible admin account. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-269 (Improper Privilege Management).

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation allows the attacker to escalate privileges by altering site settings and creating admin accounts, resulting in high impacts to confidentiality, integrity, and availability.

Advisories and references include the WPScan vulnerability page (https://wpscan.com/vulnerability/7785), Packet Storm entry (https://packetstormsecurity.com/files/130291/), a WPScan Twitter post (https://twitter.com/_wpscan_/status/564874637679820800?lang=ca), the WPLMS theme page on ThemeForest (https://themeforest.net/item/wplms-learning-management-system/6780226), and a Rapid7 Metasploit auxiliary module for privilege escalation (https://www.rapid7.com/db/modules/auxiliary/admin/http/wp_wplms_privilege_escalation/). The CVE was published on 2025-07-19.

EU & UK References

Vulnerability details

The WPLMS theme for WordPress is vulnerable to Privilege Escalation in versions 1.5.2 to 1.8.4.1 via the 'wp_ajax_import_data' AJAX action. This makes it possible for authenticated attackers to change otherwise restricted settings and potentially create a new accessible admin account.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct privilege escalation via authenticated AJAX action allowing restricted setting modification and admin account creation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-48898Same product class: CMS core
CVE-2026-48899Same product class: CMS core
CVE-2026-48904Same product class: CMS core
CVE-2024-13835Shared CWE-269
CVE-2025-36640Shared CWE-269
CVE-2026-0859Same product class: CMS core
CVE-2026-29124Shared CWE-269
CVE-2026-21533Shared CWE-269
CVE-2023-7343Shared CWE-269
CVE-2025-21360Shared CWE-269

Affected Assets

vibethemes
wordpress learning management system
1.5.2 — 1.8.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege to prevent authenticated low-privilege users from escalating via the wp_ajax_import_data action to modify restricted settings or create admin accounts.

prevent

Requires mechanisms to enforce access control policies, directly mitigating the lack of privilege checks in the vulnerable AJAX endpoint.

prevent

Mandates timely flaw remediation, addressing the specific privilege escalation vulnerability in WPLMS theme versions 1.5.2 to 1.8.4.1.

References