CVE-2025-2290

MEDIUM

LifterLMS < 8.0.1 - Unauthenticated Post Trashing via Missing Capability Check

Title source: llm

Description

The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to Unauthenticated Post Trashing due to a missing capability check on the delete_access_plan function and the related AJAX calls in all versions up to, and including, 8.0.1. This makes it possible for unauthenticated attackers to change status to "Trash" for every published post, therefore limiting the availability of the website's content.

References (2)

Core 2

Core References

Patch

https://plugins.trac.wordpress.org/changeset/3257328/lifterlms/trunk/includes/class.llms.ajax.handler.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/4f64dbf2-b75a-4a35-9b4e-413b8fd1fff0?source=cve

Scores

CVSS v3 5.3

EPSS 0.0028

EPSS Percentile 19.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (2)

chrisbadgett/LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes < 8.0.1

lifterlms/lifterlms < 8.0.2

Published Mar 19, 2025

Tracked Since Feb 18, 2026