CVE-2025-68982

The DesignThemes LMS Addon plugin for WordPress versions up to and including 2.6 contains a missing authorization vulnerability [1]. This broken access control issue stems from incorrectly configured access control security levels, meaning the plugin fails to properly verify user permissions before allowing certain actions [1].

An attacker can exploit this vulnerability without needing only network access to a WordPress site running the vulnerable plugin. No authentication is required, as the missing authorization check allows unauthenticated or low-privilege users to perform actions that should be restricted to higher-privilege roles [1]. The attack surface is broad, as the plugin is widely used in learning management systems.

The impact of successful exploitation includes the ability to bypass intended access restrictions, potentially leading to unauthorized modification of LMS content, settings, or user data [1]. While the CVSS score of 5.3 indicates medium severity, the vulnerability is noted as being used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

The vulnerability is patched in version 3.0 of the plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].