CVE-2015-10139
Published: 19 July 2025
Summary
CVE-2015-10139 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Vibethemes Wordpress Learning Management System . Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces least privilege to prevent authenticated low-privilege users from escalating via the wp_ajax_import_data action to modify restricted settings or create admin accounts.
Requires mechanisms to enforce access control policies, directly mitigating the lack of privilege checks in the vulnerable AJAX endpoint.
Mandates timely flaw remediation, addressing the specific privilege escalation vulnerability in WPLMS theme versions 1.5.2 to 1.8.4.1.
NVD Description
The WPLMS theme for WordPress is vulnerable to Privilege Escalation in versions 1.5.2 to 1.8.4.1 via the 'wp_ajax_import_data' AJAX action. This makes it possible for authenticated attackers to change otherwise restricted settings and potentially create a new accessible admin account.
Deeper analysisAI
CVE-2015-10139 is a privilege escalation vulnerability in the WPLMS theme for WordPress, affecting versions 1.5.2 through 1.8.4.1. The flaw exists in the 'wp_ajax_import_data' AJAX action, which enables authenticated attackers to modify otherwise restricted settings and potentially create a new accessible admin account. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-269 (Improper Privilege Management).
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation allows the attacker to escalate privileges by altering site settings and creating admin accounts, resulting in high impacts to confidentiality, integrity, and availability.
Advisories and references include the WPScan vulnerability page (https://wpscan.com/vulnerability/7785), Packet Storm entry (https://packetstormsecurity.com/files/130291/), a WPScan Twitter post (https://twitter.com/_wpscan_/status/564874637679820800?lang=ca), the WPLMS theme page on ThemeForest (https://themeforest.net/item/wplms-learning-management-system/6780226), and a Rapid7 Metasploit auxiliary module for privilege escalation (https://www.rapid7.com/db/modules/auxiliary/admin/http/wp_wplms_privilege_escalation/). The CVE was published on 2025-07-19.
Details
- CWE(s)