📄 Description (English)
The Creator LMS – The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. This makes it possible for authenticated attackers, with contributor level access and above, to update arbitrary WordPress options.
🤖 AI Executive Summary
Creator LMS WordPress plugin versions up to 1.1.12 contain a critical privilege escalation vulnerability (CVE-2025-15347) allowing authenticated contributors to modify arbitrary WordPress options through a missing capability check. This vulnerability enables attackers to escalate privileges, modify site configurations, and potentially compromise WordPress installations used by educational institutions and training organizations across Saudi Arabia. Immediate patching to version 1.1.13 or later is essential.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 04:05
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi educational institutions, online training platforms, and corporate learning management systems. Affected sectors include: (1) Higher Education - universities and colleges using Creator LMS for course delivery; (2) Government Training - NCIT and government agencies using WordPress-based training platforms; (3) Corporate Training - Saudi enterprises (banking, telecom, energy sectors) using LMS for employee development; (4) EdTech Startups - growing Saudi education technology companies. The vulnerability allows privilege escalation from contributor to administrator level, enabling attackers to modify WordPress configurations, inject malicious code, steal sensitive data, or establish persistent backdoors.
🏢 Affected Saudi Sectors
Higher Education
Government Training and Development
Corporate Training and Development
EdTech and Online Learning Platforms
Banking and Financial Services
Telecommunications
Energy Sector
Healthcare Training Programs
🎯 MITRE ATT&CK Techniques
T1548 - Abuse Elevation Control Mechanism
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1078 - Valid Accounts
T1078.001 - Valid Accounts: Default Accounts
T1098 - Account Manipulation
T1098.001 - Account Manipulation: Additional Cloud Credentials
T1190 - Exploit Public-Facing Application
T1199 - Trusted Relationship
T1566 - Phishing
T1199 - Trusted Relationship
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all WordPress installations using Creator LMS plugin by reviewing plugin directories and WordPress admin dashboards
2. Document current plugin version for all affected installations
3. Disable the Creator LMS plugin immediately if version 1.1.12 or earlier is detected
PATCHING GUIDANCE:
1. Update Creator LMS plugin to version 1.1.13 or later from official WordPress plugin repository
2. Test updates in staging environment before production deployment
3. Verify plugin functionality post-update
COMPENSATING CONTROLS (if immediate patching not possible):
1. Restrict contributor-level user accounts - audit and remove unnecessary contributor permissions
2. Implement Web Application Firewall (WAF) rules to monitor and block suspicious option modification requests
3. Enable WordPress security plugins with capability monitoring (e.g., Wordfence, Sucuri)
4. Implement database activity monitoring for wp_options table modifications
5. Restrict API access to authenticated users only
DETECTION RULES:
1. Monitor WordPress logs for get_items_permissions_check function calls from contributor-level users
2. Alert on wp_options table modifications by non-administrator accounts
3. Track REST API requests to /wp-json/creator-lms endpoints from contributor accounts
4. Monitor for suspicious option names being modified (siteurl, home, admin_email, etc.)
5. Implement IDS signatures for unauthorized WordPress option updates
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات WordPress التي تستخدم مكون Creator LMS من خلال مراجعة دلائل المكونات ولوحات تحكم WordPress
2. توثيق إصدار المكون الحالي لجميع التثبيتات المتأثرة
3. تعطيل مكون Creator LMS فوراً إذا تم اكتشاف الإصدار 1.1.12 أو أقدم
إرشادات التصحيح:
1. تحديث مكون Creator LMS إلى الإصدار 1.1.13 أو أحدث من مستودع مكونات WordPress الرسمي
2. اختبار التحديثات في بيئة التدريج قبل نشر الإنتاج
3. التحقق من وظائف المكون بعد التحديث
الضوابط التعويضية (إذا لم يكن التصحيح الفوري ممكناً):
1. تقييد حسابات المستخدمين على مستوى المساهم - تدقيق وإزالة أذونات المساهم غير الضرورية
2. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لمراقبة وحظر طلبات تعديل الخيارات المريبة
3. تفعيل مكونات أمان WordPress مع مراقبة القدرات (مثل Wordfence و Sucuri)
4. تنفيذ مراقبة نشاط قاعدة البيانات لتعديلات جدول wp_options
5. تقييد وصول API للمستخدمين المصرحين فقط
قواعد الكشف:
1. مراقبة سجلات WordPress لاستدعاءات دالة get_items_permissions_check من مستخدمي مستوى المساهم
2. التنبيه على تعديلات جدول wp_options بواسطة حسابات غير المسؤول
3. تتبع طلبات REST API إلى نقاط نهاية /wp-json/creator-lms من حسابات المساهمين
4. مراقبة أسماء الخيارات المريبة التي يتم تعديلها (siteurl و home و admin_email وما إلى ذلك)
5. تنفيذ توقيعات IDS لتحديثات خيارات WordPress غير المصرح بها
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Information security roles and responsibilities
A.6.2.1 - Access control and authorization
A.9.1.1 - Access control policy
A.9.2.1 - User access management
A.9.2.5 - Access rights review
A.12.4.1 - Event logging
A.12.4.3 - Administrator and operator logs
🔵 SAMA CSF
ID.AM-1 - Asset Management
PR.AC-1 - Access Control Policy
PR.AC-4 - Access Control Implementation
DE.CM-1 - System Monitoring
DE.CM-3 - Unauthorized Software Detection
RS.MI-2 - Incident Response Procedures
🟡 ISO 27001:2022
A.5.1.1 - Information security policies
A.6.1.1 - Information security roles and responsibilities
A.9.1.1 - Access control policy
A.9.2.1 - User registration and de-registration
A.9.2.5 - Access rights review
A.12.4.1 - Event logging
A.14.2.1 - Secure development policy
🟣 PCI DSS v4.0
Requirement 1.1 - Firewall configuration standards
Requirement 2.1 - Default security parameters
Requirement 6.2 - Security patches and updates
Requirement 7.1 - Limit access to system components
Requirement 10.2 - Implement automated audit trails