Cyber Posture

CVE-2015-10143

CriticalPublic PoC

Published: 25 July 2025

Published
25 July 2025
Modified
16 December 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6745 98.6th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-10143 is a critical-severity Missing Authorization (CWE-862) vulnerability in Pagelines Platform Theme. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources, directly mitigating the missing capability check in the AJAX function that allows unauthenticated attackers to modify WordPress options.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of flaws, such as updating the Platform theme to version 1.4.4 or later to fix the authorization vulnerability.

AC-6 Least Privilege partial match
prevent

Employs least privilege to restrict unauthorized modifications and limit privilege escalation even if initial access enforcement fails.

NVD Description

The Platform theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the *_ajax_save_options() function in all versions up to 1.4.4 (exclusive). This makes it possible for…

more

unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Deeper analysisAI

CVE-2015-10143 is a critical vulnerability in the Platform theme for WordPress, affecting all versions up to but excluding 1.4.4. It arises from a missing capability check in the *_ajax_save_options() function, enabling unauthorized modification of WordPress site options and potentially leading to privilege escalation. The issue is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

Unauthenticated attackers can exploit this vulnerability remotely without privileges or user interaction. By sending crafted requests to the affected AJAX endpoint, they can arbitrarily update WordPress options, such as enabling user registration and changing the default role for new registrants to administrator. This allows attackers to self-register with full administrative access to the vulnerable site.

Advisories and resources, including a Sucuri security notice from 2015, detail the flaw in the Pagelines Platform theme, while Wordfence tracks it under a specific threat ID. A Metasploit Framework module (wp_platform_exec.rb) demonstrates practical exploitation, confirming the vulnerability's weaponization potential. Mitigation requires updating the Platform theme to version 1.4.4 or later to address the missing capability check.

Details

CWE(s)
CWE-862

Affected Products

pagelines
platform theme
≤ 1.4.4

CVEs Like This One

CVE-2024-12365Shared CWE-862
CVE-2025-67974Shared CWE-862
CVE-2025-65669Shared CWE-862
CVE-2026-28254Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2025-69297Shared CWE-862
CVE-2025-69186Shared CWE-862
CVE-2026-25456Shared CWE-862
CVE-2024-12810Shared CWE-862

References