Critical WordPress Plugin Vulnerabilities Enable Account Takeover and Privilege Escalation
Multiple high-severity vulnerabilities were disclosed across popular WordPress plugins, creating pathways to account takeover, privilege escalation, and sensitive data exposure. The most severe issue, CVE-2025-15521 in Academy LMS (<= 3.5.0), allows unauthenticated administrator account takeover because the plugin’s password update flow relies on a publicly exposed WordPress nonce as authorization rather than validating user identity; Wordfence reported observing exploitation attempts in the wild and blocking dozens of attacks in a 24-hour period.
Additional disclosures affect other plugins with different exploitation prerequisites and impacts. CVE-2026-0726 in Nexter Extension – Site Enhancements Toolkit (<= 4.4.6) is an unauthenticated PHP object injection via nxt_unserialize_replace, but it requires a usable POP chain from another installed plugin/theme to reach file deletion, data theft, or code execution. CVE-2025-15347 in Creator LMS (<= 1.1.12) enables authenticated (Contributor+) attackers to update arbitrary WordPress options due to a missing capability check, potentially leading to privilege escalation or site compromise. CVE-2025-14977 in Dokan (<= 4.2.4) is an IDOR in the /wp-json/dokan/v1/settings REST endpoint that lets authenticated (Customer+) users read/modify other vendors’ settings, including changing PayPal payout emails and accessing bank/payment details, enabling fraud and sensitive information disclosure.
Timeline
Jan 22, 2026
Wordfence observes exploitation attempts against Academy LMS flaw
Wordfence reported attempted in-the-wild exploitation of CVE-2025-15521 and said its firewalls blocked 76 attacks in a 24-hour period. The activity showed active targeting of vulnerable Academy LMS sites before or around public reporting.
Jan 22, 2026
Academy LMS account takeover flaw disclosed
A critical vulnerability, CVE-2025-15521, was reported in Academy LMS versions up to 3.5.0. The flaw allows unauthenticated attackers to reset arbitrary users’ passwords by abusing a publicly exposed WordPress nonce, enabling administrator account takeover.
Jan 20, 2026
Nexter Extension deserialization bug disclosed
A PHP object injection vulnerability was disclosed in the Nexter Extension plugin affecting versions up to 4.4.6 due to unsafe deserialization in the 'nxt_unserialize_replace' function. Unauthenticated exploitation could become dangerous if another installed plugin or theme provides a usable POP chain, potentially enabling file deletion, data access, or code execution.
Jan 20, 2026
Creator LMS authorization flaw enables arbitrary option updates
A missing capability check was disclosed in The Creator LMS plugin affecting versions up to 1.1.12. Authenticated users with contributor-level access or higher could update arbitrary WordPress options, creating a path to privilege escalation.
Jan 20, 2026
Dokan plugin IDOR flaw affects versions through 4.2.4
An insecure direct object reference vulnerability was identified in the Dokan WooCommerce multivendor marketplace plugin affecting versions up to 4.2.4. Authenticated users with customer-level access or higher could read or modify other vendors’ settings, exposing payout and contact data and potentially redirecting PayPal payouts.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Exploitation of CVE-2026-1492 in WordPress User Registration & Membership Plugin Enables Admin Account Creation
Active exploitation has been reported against **CVE-2026-1492** in the *User Registration & Membership* WordPress plugin (WPEverest), allowing **unauthenticated privilege escalation** by submitting a user-controlled role value during membership registration. The flaw affects versions **through 5.1.2** and enables attackers to create **administrator** accounts, which can then be used to install plugins/themes, modify PHP code and security settings, exfiltrate site/user data, and potentially implant malware or backdoors. Wordfence/Defiant telemetry cited in reporting indicates exploitation attempts were observed and blocked at scale in customer environments. A fix was released in **5.1.3** (with **5.1.4** available), and the recommended mitigation is to **update immediately** or temporarily disable/uninstall the plugin if patching is not possible. Other WordPress plugin CVEs in the provided material—**CVE-2026-1321** (*Restrict Content* unauth privilege escalation via `rcp_level`), **CVE-2026-1720** (*WowOptin* missing authorization enabling Subscriber+ arbitrary plugin installation), and **CVE-2026-2628** (*All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login* authentication bypass)—are separate issues and should be tracked independently, as they do not describe the same exploited vulnerability affecting *User Registration & Membership* (CVE-2026-1492).
2 weeks ago
Critical WordPress Plugin Flaws Expose Sites to RCE and Privilege Escalation
Two high-severity vulnerabilities have been disclosed in widely deployed WordPress plugins, exposing internet-facing sites to **unauthenticated compromise**. `CVE-2026-3584` affects **Kali Forms** through version `2.4.9` and allows **remote code execution** because user-controlled input can be mapped into internal placeholder storage and later invoked via `call_user_func` in the `form_process` path. The issue is classified as `CWE-94` and carries a `CVSS 3.1` score with the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating critical impact on confidentiality, integrity, and availability. A second flaw, `CVE-2026-4038`, affects **Aimogen Pro** through version `2.7.5` and enables **unauthenticated privilege escalation** through an arbitrary function call in `aiomatic_call_ai_function_realtime` caused by a missing capability check. According to the disclosure, attackers can invoke WordPress functions such as `update_option` to change the default registration role to administrator and enable user registration, effectively creating a path to full site takeover. The vulnerability is tracked as `CWE-862` and was likewise rated with a high-impact `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`.
1 months ago
WordPress Plugin Flaws Enable Privilege Escalation to Administrator
Two newly disclosed vulnerabilities in WordPress plugins can let attackers elevate privileges to **Administrator** by abusing improper handling of user profile metadata. `CVE-2026-4261` affects **Expire Users** through version `1.2.2`, where the `save_extra_user_profile_fields` function allows modification of the `on_expire_default_to_role` meta value; an authenticated attacker with **Subscriber-level access or higher** can exploit the flaw to gain full administrative control. The issue was classified as `CWE-862` and carries a high-severity `CVSS v3.1` score with the vector `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`. A second flaw, `CVE-2026-3629`, impacts **Import and export users and customers** through version `1.29.7` and can, under specific conditions, allow even **unauthenticated** attackers to become administrators. The plugin's `save_extra_user_profile_fields` logic fails to block sensitive keys such as `wp_capabilities` because `get_restricted_fields` does not restrict them, enabling a crafted registration request to assign elevated privileges when **"Show fields in profile"** is enabled and a previously imported CSV included a `wp_capabilities` column header. That vulnerability was classified as `CWE-269` with a `CVSS v3.1` vector of `AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`.
1 months ago