5.3

CVE-2025-2290

EPSS 0.34%
Veröffentlicht 19.03.2025 04:21:05
Zuletzt bearbeitet 11.07.2025 21:23:28
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

LifterLMS <= 8.0.1 - Missing Authorization to Unauthenticated Post Trashing

The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to Unauthenticated Post Trashing due to a missing capability check on the delete_access_plan function and the related AJAX calls in all versions up to, and including, 8.0.1. This makes it possible for unauthenticated attackers to change status to "Trash" for every published post, therefore limiting the availability of the website's content.

Mögliche Gegenmaßnahme

LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes: Update to version 8.0.2, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Version *-8.0.1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lifterlms ≫ Lifterlms SwPlatformwordpress Version < 8.0.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.34%	0.563

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.wordfence.com/threat-intel/vulnerabilities/id/4f64dbf2-b75a-4a35-9b4e-413b8fd1fff0?source=cve

Third Party Advisory

https://plugins.trac.wordpress.org/changeset/3257328/lifterlms/trunk/includes/class.llms.ajax.handler.php

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/4f64dbf2-b75a-4a35-9b4e-413b8fd1fff0

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-2290

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-2290

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-2290

EUVD