{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27983", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:12:49.961Z", "datePublished": "2026-03-05T05:54:03.452Z", "dateUpdated": "2026-04-28T16:15:03.560Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "lms-elementor-pro", "product": "LMS Elementor Pro", "vendor": "designthemes", "versions": [{"lessThanOrEqual": "1.0.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "luc | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:06:13.639Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Privilege Assignment vulnerability in designthemes LMS Elementor Pro lms-elementor-pro allows Privilege Escalation.<p>This issue affects LMS Elementor Pro: from n/a through <= 1.0.4.</p>"}], "value": "Incorrect Privilege Assignment vulnerability in designthemes LMS Elementor Pro lms-elementor-pro allows Privilege Escalation.This issue affects LMS Elementor Pro: from n/a through <= 1.0.4."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "Incorrect Privilege Assignment", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:03.560Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/lms-elementor-pro/vulnerability/wordpress-lms-elementor-pro-plugin-1-0-4-privilege-escalation-vulnerability?_s_id=cve"}], "title": "WordPress LMS Elementor Pro plugin <= 1.0.4 - Privilege Escalation vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T18:41:46.572269Z", "id": "CVE-2026-27983", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:08:28.076Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27983", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T18:41:46.572269Z"}}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:41:34.502Z"}}], "cna": {"title": "WordPress LMS Elementor Pro plugin <= 1.0.4 - Privilege Escalation vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "luc | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "designthemes", "product": "LMS Elementor Pro", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.4"}], "packageName": "lms-elementor-pro", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:06:13.639Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/lms-elementor-pro/vulnerability/wordpress-lms-elementor-pro-plugin-1-0-4-privilege-escalation-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Incorrect Privilege Assignment vulnerability in designthemes LMS Elementor Pro lms-elementor-pro allows Privilege Escalation.This issue affects LMS Elementor Pro: from n/a through <= 1.0.4.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Privilege Assignment vulnerability in designthemes LMS Elementor Pro lms-elementor-pro allows Privilege Escalation.<p>This issue affects LMS Elementor Pro: from n/a through <= 1.0.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "Incorrect Privilege Assignment"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:03.560Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27983", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:15:03.560Z", "dateReserved": "2026-02-25T12:12:49.961Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:03.452Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Privilege Assignment vulnerability in designthemes LMS Elementor Pro lms-elementor-pro allows Privilege Escalation.This issue affects LMS Elementor Pro: from n/a through <= 1.0.4."}, {"lang": "es", "value": "Vulnerabilidad de Asignaci\u00f3n Incorrecta de Privilegios en designthemes LMS Elementor Pro lms-elementor-pro permite la escalada de privilegios. Este problema afecta a LMS Elementor Pro: desde n/d hasta &lt;= 1.0.4."}], "id": "CVE-2026-27983", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:30.370", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/lms-elementor-pro/vulnerability/wordpress-lms-elementor-pro-plugin-1-0-4-privilege-escalation-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "lms_elementor_pro", "vendor": "designthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T23:27:52.273158+00:00", "value": {"mitigation_remediation": ["Upgrade LMS Elementor Pro to the latest version (1.0.5 or newer) to remove the privilege escalation flaw.", "If an upgrade is not immediately feasible, disable the plugin until a patch is applied to prevent exploitation.", "Monitor WordPress audit logs for any unauthorized account changes or privilege escalation activities and investigate promptly."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All installations of the designthemes LMS Elementor Pro plugin with version 1.0.4 or earlier are affected. No other versions or separate products are listed as impacted.", "description_and_impact": "The vulnerability is an incorrect privilege assignment flaw in the LMS Elementor Pro WordPress plugin. It allows an attacker to elevate their access level within the WordPress installation, potentially giving them higher permissions than intended. This weakness is classified as CWE\u2011266. The impact is that an attacker with limited or even guest access could gain administrator capabilities, compromising the site\u2019s confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 9.8 signals a critical severity. The EPSS score of less than 1\u202f% indicates a low probability of exploitation at the moment, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector likely involves the plugin\u2019s administrative interface, where an attacker with some level of authenticated or even unauthenticated access could manipulate user data to elevate privileges. Once escalated, the attacker can perform any action allowed to an admin, such as installing additional plugins, modifying site settings, or accessing sensitive user information."}}}}, "created": "2026-03-06T15:11:57.134864+00:00", "updated": "2026-04-15T23:30:17.202506+00:00", "vendors": ["designthemes", "designthemes$PRODUCT$lms_elementor_pro", "wordpress", "wordpress$PRODUCT$wordpress"]}