Lizza LMS Pro

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The Lizza LMS Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'lizza_lms_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.

AI Analysis

Unauthenticated Privilege Escalation vulnerability in Lizza LMS Pro plugin for WordPress due to insufficient role restrictions during user registration.

Basic Information

ID CVE-2025-13563

Source Wordfence

Published Feb 19, 2026 at 04:36

Affected Product

Vendor BuddhaThemes

Product Lizza LMS Pro

Version *

Affected Versions BuddhaThemes Lizza LMS Pro *

CWE Classification

CWE-269

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor BuddhaThemes

Product Lizza LMS Pro

Version 1.0.3

References

{
    "lastseen": "",
    "description": "The Lizza LMS Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'lizza_lms_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.",
    "published": "2026-02-19T04:36:20.596Z",
    "modified": "2026-02-19T04:36:20.596Z",
    "type": "cve",
    "title": "Lizza LMS Pro <= 1.0.3 - Unauthenticated Privilege Escalation",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b113f475-3133-4ea3-9152-03bb84d79307?source=cve\nhttps://themeforest.net/item/lizza-lms-education-wordpress-theme/51057780",
    "id": "CVE-2025-13563",
    "bulletinFamily": "",
    "cwe": [
        "CWE-269"
    ],
    "cvelist": null,
    "sourceData": "BuddhaThemes Lizza LMS Pro *",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Lizza LMS Pro",
    "version": "*",
    "vendor": "BuddhaThemes",
    "ai_description": "Unauthenticated Privilege Escalation vulnerability in Lizza LMS Pro plugin for WordPress due to insufficient role restrictions during user registration.",
    "ai_severity": "Critical",
    "ai_vendor": "BuddhaThemes",
    "ai_product": "Lizza LMS Pro",
    "ai_version": "1.0.3",
    "ai_score": 9.8
}

Lizza LMS Pro <= 1.0.3 - Unauthenticated Privilege Escalation_CVE-2025-13563