5.3

CVE-2025-2290

LifterLMS <= 8.0.1 - Missing Authorization to Unauthenticated Post Trashing

LifterLMS <= 8.0.1 - Missing Authorization to Unauthenticated Post Trashing

The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to Unauthenticated Post Trashing due to a missing capability check on the delete_access_plan function and the related AJAX calls in all versions up to, and including, 8.0.1. This makes it possible for unauthenticated attackers to change status to "Trash" for every published post, therefore limiting the availability of the website's content.
Mögliche Gegenmaßnahme
LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes: Update to version 8.0.2, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LifterlmsLifterlms SwPlatformwordpress Version < 8.0.2
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Version *-8.0.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.28% 0.196
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@wordfence.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.wordfence.com/threat-intel/vulnerabilities/id/4f64dbf2-b75a-4a35-9b4e-413b8fd1fff0?source=cve
Third Party Advisory
https://plugins.trac.wordpress.org/changeset/3257328/lifterlms/trunk/includes/class.llms.ajax.handler.php
Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/4f64dbf2-b75a-4a35-9b4e-413b8fd1fff0
Third Party Advisory