{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69359", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:32.245Z", "datePublished": "2026-01-06T16:36:41.733Z", "dateUpdated": "2026-04-28T16:14:38.782Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "creatorlms", "product": "Creator LMS", "vendor": "WPFunnels", "versions": [{"changes": [{"at": "1.1.13", "status": "unaffected"}], "lessThanOrEqual": "1.1.12", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:12.183Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Creator LMS: from n/a through <= 1.1.12.</p>"}], "value": "Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Creator LMS: from n/a through <= 1.1.12."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:38.782Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/creatorlms/vulnerability/wordpress-creator-lms-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Creator LMS plugin <= 1.1.12 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T14:16:07.248611Z", "id": "CVE-2025-69359", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T19:00:29.030Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69359", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-13T14:16:07.248611Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T14:15:59.280Z"}}], "cna": {"title": "WordPress Creator LMS plugin <= 1.1.12 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WPFunnels", "product": "Creator LMS", "versions": [{"status": "affected", "changes": [{"at": "1.1.13", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1.12"}], "packageName": "creatorlms", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:12.183Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/creatorlms/vulnerability/wordpress-creator-lms-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Creator LMS: from n/a through <= 1.1.12.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Creator LMS: from n/a through <= 1.1.12.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:01.276Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69359", "state": "PUBLISHED", "dateUpdated": "2026-04-24T18:28:12.540Z", "dateReserved": "2025-12-31T20:12:32.245Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-06T16:36:41.733Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Creator LMS: from n/a through <= 1.1.12."}], "id": "CVE-2025-69359", "lastModified": "2026-04-27T19:16:43.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-06T17:15:48.440", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/creatorlms/vulnerability/wordpress-creator-lms-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:52:19.674743+00:00", "value": {"mitigation_remediation": ["Upgrade the Creator LMS plugin to a version later than 1.1.12, or uninstall it if no update is available.", "Restrict the plugin\u2019s administrative routes to administrator roles only and review any custom capabilities that may grant broader access.", "Audit existing content and user data for unauthorized changes and rotate credentials for any accounts that might have been compromised."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Resource Access"}, "threat_synthesis": {"affected_systems": "The issue affects the WordPress plugin Creator LMS from the WPFunnels vendor. All versions from the initial release up to and including 1.1.12 are impacted. Site owners using any of these releases are vulnerable.", "description_and_impact": "The vulnerability arises from missing authorization checks within the Creator LMS plugin, allowing actors to exploit incorrectly configured access control levels. Attackers can read or alter content that should be protected, such as course materials, user progress, or administrative settings. This weakness aligns with CWE-862, an Authorization Bypass.", "risk_and_exploitability": "The CVSS score of 5.3 marks it as a moderate severity flaw. The EPSS score is below 1%, indicating a low likelihood of exploitation, and it is not listed in the CISA KEV catalog. Likely exploitation occurs via the web interface of the plugin, potentially requiring authenticated or unauthenticated access depending on the site\u2019s configuration."}}}}, "created": "2026-01-07T10:08:59.439041+00:00", "updated": "2026-04-27T22:00:16.546177+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpfunnels", "wpfunnels$PRODUCT$creator_lms"]}