Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2025-14156 — AI Deep Analysis Summary

CVSS 9.8 · Critical

Q1What is this vulnerability? (Essence + Consequences)

🚨 **Essence**: A critical Input Validation Error in Fox LMS. 📉 **Consequences**: Attackers can escalate privileges, gaining unauthorized admin access. This breaks the core security model of the WordPress site.

Q2Root Cause? (CWE/Flaw)

🛡️ **Root Cause**: **CWE-20** (Improper Input Validation). The plugin fails to verify the `role` parameter. 🐛 **Flaw**: Missing checks allow malicious input to bypass intended restrictions.

Q3Who is affected? (Versions/Components)

🎯 **Affected**: **ays-pro**'s **Fox LMS – WordPress LMS Plugin**. 📦 **Versions**: **1.0.5.1 and earlier**. If you are running 1.0.4.7 to 1.0.5.1, you are vulnerable.

Q4What can hackers do? (Privileges/Data)

💀 **Attacker Actions**: **Privilege Escalation**. Hackers can elevate their status from a regular user to an **Administrator**.…

Q5Is exploitation threshold high? (Auth/Config)

⚡ **Threshold**: **LOW**. CVSS Vector shows **AV:N** (Network), **AC:L** (Low Complexity), **PR:N** (No Privileges Required). 🚪 **Access**: **Unauthenticated**. Anyone can exploit this without logging in first.

Q6Is there a public Exp? (PoC/Wild Exploitation)

🔓 **Exploit Status**: **YES**. A public PoC exists on GitHub (`Nxploited/CVE-2025-14156`). 🌐 **Wild Exploitation**: Likely.…

Q7How to self-check? (Features/Scanning)

🔍 **Self-Check**: 1. Check your WordPress Plugins list for **Fox LMS**. 2. Verify version is **≤ 1.0.5.1**. 3. Use scanners to detect unauthenticated API calls to the `createOrder` endpoint.…

Q8Is it fixed officially? (Patch/Mitigation)

✅ **Fix Status**: **YES**. Version **1.0.5.2** contains the fix. 📝 **Patch**: The developer corrected the validation in `Payments.php`. Update immediately to 1.0.5.2 or later.

Q9What if no patch? (Workaround)

🚧 **No Patch Workaround**: 1. **Disable** the Fox LMS plugin immediately if you cannot update. 2. Restrict access to `wp-admin` via IP whitelist. 3.…

Q10Is it urgent? (Priority Suggestion)

🔥 **Urgency**: **CRITICAL**. CVSS Score is **High** (likely 9.8+). 🚨 **Priority**: **P0**. Unauthenticated privilege escalation is a site-killer. Patch **NOW** to prevent total compromise.