CVE-2025-14156

Name of the Vulnerable Software and Affected Versions Fox LMS – WordPress LMS Plugin versions prior to 1.0.5.1

Description The Fox LMS – WordPress LMS Plugin does not properly validate the role parameter when creating new users via the /fox-lms/v1/payments/create-order API endpoint. This allows unauthenticated attackers to create new user accounts with arbitrary roles, including administrator, potentially leading to complete site compromise.

Recommendations Versions prior to 1.0.5.1 should be updated to version 1.0.5.1 or later.