CVE-2019-15896

CRITICAL

LifterLMS <3.34.5 - Privilege Escalation

Title source: llm

Description

An issue was discovered in the LifterLMS plugin through 3.34.5 for WordPress. The upload_import function in the class.llms.admin.import.php script is prone to an unauthenticated options import vulnerability that could lead to privilege escalation (administrator account creation), website redirection, and stored XSS.

Exploits (1)

nomisec WORKING POC

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2019-15896

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-lifterlms-plugin/

[Release Notes] https://wordpress.org/plugins/lifterlms/#developers

[Third Party Advisory] https://wpvulndb.com/vulnerabilities/9871

Scores

CVSS v3 9.8

EPSS 0.0372

EPSS Percentile 88.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-306

Status published

Products (1)

lifterlms/lifterlms < 3.34.5

Published Sep 10, 2019

Tracked Since Feb 18, 2026