The WPLMS theme for WordPress is vulnerable to Privilege Escalation in versions 1.5.2 to 1.8.4.1 via the wp_ajax_import_data AJAX action. This makes it possible for authenticated attackers to change otherwise restricted settings and potentially create a new accessible admin account.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.