Plateforme
wordpress
Composant
lizza-lms-pro
Corrigé dans
1.0.4
CVE-2025-13563 describes a critical Privilege Escalation vulnerability affecting Lizza LMS Pro, a WordPress plugin. This flaw allows unauthenticated attackers to bypass role restrictions during user registration, potentially granting them administrator privileges. The vulnerability impacts versions 1.0.0 through 1.0.3, and a patch is available in version 1.0.4.
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-13563 can gain complete control over a WordPress site running an affected version of Lizza LMS Pro. This includes the ability to modify content, install malicious plugins, steal sensitive data (user credentials, financial information), and potentially pivot to other systems on the network. The ease of exploitation – requiring only a web browser and no authentication – significantly increases the risk of widespread compromise. This vulnerability shares similarities with other WordPress privilege escalation flaws where improper role assignment during user creation is exploited.
CVE-2025-13563 was published on 2026-02-19. The vulnerability's ease of exploitation and the potential for widespread impact suggest a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept (POC) code is likely to emerge quickly given the vulnerability's nature. Monitor security advisories and threat intelligence feeds for reports of active exploitation campaigns.
Statut de l'Exploit
EPSS
0.10% (percentile 28%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-13563 is to immediately upgrade Lizza LMS Pro to version 1.0.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. While a direct WAF rule is unlikely to prevent the underlying vulnerability, a WAF can be configured to block suspicious registration attempts with unusual role assignments. Review WordPress user roles and permissions to ensure least privilege is enforced. After upgrading, verify the fix by attempting to register a new user with the 'administrator' role – the registration should fail.
Mettre à jour vers la version 1.0.4, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-13563 is a critical vulnerability in Lizza LMS Pro WordPress plugin allowing unauthenticated attackers to gain administrator access by exploiting a flaw in user registration. It impacts versions 1.0.0 through 1.0.3.
You are affected if your WordPress site uses Lizza LMS Pro version 1.0.0, 1.0.1, 1.0.2, or 1.0.3. Check your plugin version immediately to determine your risk level.
Upgrade Lizza LMS Pro to version 1.0.4 or later to resolve the vulnerability. If immediate upgrade is not possible, implement temporary workarounds like WAF rules to block suspicious registration attempts.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a high likelihood of exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the official Lizza LMS Pro website or the WordPress plugin repository for the latest security advisory and update information regarding CVE-2025-13563.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.