CVE-2019-15896

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-15896
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-15896.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-15896
Published
2019-09-10T16:15:12.477Z
Modified
2026-04-10T04:23:59.583249Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in the LifterLMS plugin through 3.34.5 for WordPress. The upload_import function in the class.llms.admin.import.php script is prone to an unauthenticated options import vulnerability that could lead to privilege escalation (administrator account creation), website redirection, and stored XSS.

References

Affected packages

Git / github.com/gocodebox/lifterlms

Affected ranges

Type
GIT
Repo
https://github.com/gocodebox/lifterlms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
6c496dc8f63c53b40f9c97cd1ba34713f2df994b
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.34.5"
        }
    ]
}

Affected versions

1.*
1.0.0
1.1.1
1.2.4
1.2.5
1.2.6
1.3.0
1.3.10
1.3.2
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.4.0
3.*
3.0.0-beta.1
3.0.0-beta.2
3.0.0-beta.3
3.0.0-beta.4
3.0.0-beta.5
3.20.0-beta.1
3.34.5
v1.*
v1.3.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-15896.json"