CVE-2019-15896

CRITICAL

LifterLMS <3.34.5 - Privilege Escalation

Title source: llm

Description

An issue was discovered in the LifterLMS plugin through 3.34.5 for WordPress. The upload_import function in the class.llms.admin.import.php script is prone to an unauthenticated options import vulnerability that could lead to privilege escalation (administrator account creation), website redirection, and stored XSS.

Exploits (1)

nomisec WORKING POC

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2019-15896

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-lifterlms-plugin/

[Release Notes] https://wordpress.org/plugins/lifterlms/#developers

[Third Party Advisory] https://wpvulndb.com/vulnerabilities/9871

Scores

CVSS v3 9.8

EPSS 0.0372

EPSS Percentile 87.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-306

Status published

Affected Products (1)

lifterlms/lifterlms < 3.34.5

Timeline

Published Sep 10, 2019

Tracked Since Feb 18, 2026