CVE-2019-15896

Published: Sep 10, 2019Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An issue was discovered in the LifterLMS plugin through 3.34.5 for WordPress. The upload_import function in the class.llms.admin.import.php script is prone to an unauthenticated options import vulnerability that could lead to privilege escalation (administrator account creation), website redirection, and stored XSS.

Affected (1)

Products: Lifterlms: Lifterlms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lifterlms Lifterlms	Up to 3.34.5

Related CWEs

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (6)

https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-lifterlms-plugin/

Source: cve@mitre.org

ExploitThird Party Advisory

https://wordpress.org/plugins/lifterlms/#developers

Source: cve@mitre.org

Release Notes

https://wpvulndb.com/vulnerabilities/9871

Source: cve@mitre.org

Third Party Advisory

https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-lifterlms-plugin/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://wordpress.org/plugins/lifterlms/#developers

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://wpvulndb.com/vulnerabilities/9871

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.