Critical WordPress Plugin Vulnerabilities Enable Account Takeover and Privilege Escalation
Multiple high-severity vulnerabilities were disclosed across popular WordPress plugins, creating pathways to account takeover, privilege escalation, and sensitive data exposure. The most severe issue, CVE-2025-15521 in Academy LMS (<= 3.5.0), allows unauthenticated administrator account takeover because the plugin’s password update flow relies on a publicly exposed WordPress nonce as authorization rather than validating user identity; Wordfence reported observing exploitation attempts in the wild and blocking dozens of attacks in a 24-hour period.
Additional disclosures affect other plugins with different exploitation prerequisites and impacts. CVE-2026-0726 in Nexter Extension – Site Enhancements Toolkit (<= 4.4.6) is an unauthenticated PHP object injection via nxt_unserialize_replace, but it requires a usable POP chain from another installed plugin/theme to reach file deletion, data theft, or code execution. CVE-2025-15347 in Creator LMS (<= 1.1.12) enables authenticated (Contributor+) attackers to update arbitrary WordPress options due to a missing capability check, potentially leading to privilege escalation or site compromise. CVE-2025-14977 in Dokan (<= 4.2.4) is an IDOR in the /wp-json/dokan/v1/settings REST endpoint that lets authenticated (Customer+) users read/modify other vendors’ settings, including changing PayPal payout emails and accessing bank/payment details, enabling fraud and sensitive information disclosure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Wordfence observes exploitation attempts against Academy LMS flaw
Wordfence reported attempted in-the-wild exploitation of CVE-2025-15521 and said its firewalls blocked 76 attacks in a 24-hour period. The activity showed active targeting of vulnerable Academy LMS sites before or around public reporting.
Academy LMS account takeover flaw disclosed
A critical vulnerability, CVE-2025-15521, was reported in Academy LMS versions up to 3.5.0. The flaw allows unauthenticated attackers to reset arbitrary users’ passwords by abusing a publicly exposed WordPress nonce, enabling administrator account takeover.
Nexter Extension deserialization bug disclosed
A PHP object injection vulnerability was disclosed in the Nexter Extension plugin affecting versions up to 4.4.6 due to unsafe deserialization in the 'nxt_unserialize_replace' function. Unauthenticated exploitation could become dangerous if another installed plugin or theme provides a usable POP chain, potentially enabling file deletion, data access, or code execution.
Creator LMS authorization flaw enables arbitrary option updates
A missing capability check was disclosed in The Creator LMS plugin affecting versions up to 1.1.12. Authenticated users with contributor-level access or higher could update arbitrary WordPress options, creating a path to privilege escalation.
Dokan plugin IDOR flaw affects versions through 4.2.4
An insecure direct object reference vulnerability was identified in the Dokan WooCommerce multivendor marketplace plugin affecting versions up to 4.2.4. Authenticated users with customer-level access or higher could read or modify other vendors’ settings, exposing payout and contact data and potentially redirecting PayPal payouts.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2025-15521 (CVSS 9.8): Critical Academy LMS Flaw Exploited for Admin Takeover
securityonline.info
Open sourceCVE-2026-0726 - Nexter Extension - Site Enhancements Toolkit <= 4.4.6 - Unauthenticated PHP Object Injection via 'nxt_unserialize_replace'
cvefeed.io
Open sourceCVE-2025-15347 - Creator LMS - The LMS for Creators, Coaches, and Trainers <= 1.1.12 - Missing Authorization to Authenticated (Contributor+) Arbitrary Options Update
cvefeed.io
Open sourceCVE-2025-14977 - Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy <= 4.2.4 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
WordPress Plugin Flaws Enable Account Takeover and Possible RCE
Multiple high-severity flaws in WordPress plugins exposed sites to account takeover and, in one case, possible remote code execution. In **Users Manager PN**, tracked as `CVE-2026-4003`, a missing authorization check in the `userspn_ajax_nopriv_server()` handler let unauthenticated attackers overwrite arbitrary user metadata through the `userspn_form_save` AJAX action. Because the required `userspn-nonce` was reportedly exposed on public pages, attackers could abuse the bug with a single crafted request to modify profiles and potentially seize control of administrator accounts. The issue affected versions through `1.1.15` and was reportedly fixed in `1.1.20`. Two additional vulnerabilities were disclosed in **WP Captcha PRO** affecting versions through `5.38`. `CVE-2026-5415` allowed **Subscriber-level users or higher** to generate temporary login links for arbitrary accounts because the `ajax_run_tool()` AJAX handler checked only a nonce and not user capabilities, enabling authentication bypass and administrator takeover. Separately, `CVE-2026-5411` allowed authenticated low-privilege users to upload attacker-controlled files by poisoning license metadata and abusing `sync_cloud_protection()` to download and extract content into a web-accessible uploads directory; if PHP execution was possible and `allow_url_fopen` was enabled for remote retrieval, the flaw could be escalated to **remote code execution** via a webshell.
Jun 12, 2026
Exploitation of CVE-2026-1492 in WordPress User Registration & Membership Plugin Enables Admin Account Creation
Active exploitation has been reported against **CVE-2026-1492** in the *User Registration & Membership* WordPress plugin (WPEverest), allowing **unauthenticated privilege escalation** by submitting a user-controlled role value during membership registration. The flaw affects versions **through 5.1.2** and enables attackers to create **administrator** accounts, which can then be used to install plugins/themes, modify PHP code and security settings, exfiltrate site/user data, and potentially implant malware or backdoors. Wordfence/Defiant telemetry cited in reporting indicates exploitation attempts were observed and blocked at scale in customer environments. A fix was released in **5.1.3** (with **5.1.4** available), and the recommended mitigation is to **update immediately** or temporarily disable/uninstall the plugin if patching is not possible. Other WordPress plugin CVEs in the provided material—**CVE-2026-1321** (*Restrict Content* unauth privilege escalation via `rcp_level`), **CVE-2026-1720** (*WowOptin* missing authorization enabling Subscriber+ arbitrary plugin installation), and **CVE-2026-2628** (*All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login* authentication bypass)—are separate issues and should be tracked independently, as they do not describe the same exploited vulnerability affecting *User Registration & Membership* (CVE-2026-1492).
Apr 13, 2026
Critical WordPress Plugin Flaws Expose Sites to File Upload, SQL Injection, and Takeover
Multiple **WordPress plugins** were flagged for severe vulnerabilities that could let attackers take over sites through unauthenticated file upload, SQL injection, arbitrary file deletion, and authorization bypass. References point to issues in plugins including **WP Duplicate**, **Ninja Forms File Upload**, **Ultimate Member**, **Product Addons for WooCommerce**, **CleanTalk Spam Protect**, **Ally**, **Perfmatters**, and **Kali Forms**, alongside identifiers such as **`CVE-2024-48930`**, **`CVE-2025-13192`**, and **`CVE-2026-1104`**. Several flaws were described as allowing arbitrary plugin installation, malicious file upload, or direct database manipulation, creating a path to remote code execution and full site compromise. Wordfence reports indicate the exposure spans **hundreds of thousands of WordPress sites**, with some bugs already under **active exploitation**. The most serious cases include an unauthenticated SQL injection flaw in the **Ally** plugin affecting roughly **400,000 sites**, an arbitrary file deletion issue in **Perfmatters** affecting about **200,000 sites**, and active attacks targeting a critical flaw in **Kali Forms**. Taken together, the disclosures show a broad wave of high-impact plugin security failures that increase the risk of website defacement, malware deployment, data theft, and administrator-level compromise across the WordPress ecosystem.
May 25, 2026