Home

Description

The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to privilege escalation. This is due to the plugin not properly validating a user's identity prior to allowing them to modify their own role via the REST API. The permission check in the update_item_permissions_check() function returns true when a user updates their own account without verifying the role changes. This makes it possible for authenticated attackers, with student-level access and above, to escalate their privileges to administrator by updating their own roles array via a crafted REST API request. Another endpoint intended for instructors also provides an attack vector. Affected version ranges are 3.5.3-3.41.2, 4.0.0-4.21.3, 5.0.0-5.10.0, 6.0.0-6.11.0, 7.0.0-7.8.7, 8.0.0-8.0.7, 9.0.0-9.0.7, 9.1.0.

PUBLISHED Reserved 2025-10-17 | Published 2025-11-13 | Updated 2025-11-13 | Assigner Wordfence




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-269 Improper Privilege Management

Product status

Default status
unaffected

3.5.3 (semver)
affected

4.0.0 (semver)
affected

5.0.0 (semver)
affected

6.0.0 (semver)
affected

7.0.0 (semver)
affected

8.0.0 (semver)
affected

9.0.0 (semver)
affected

9.1.0
affected

Timeline

2025-11-03:Vendor Notified
2025-11-12:Disclosed

Credits

Angus Girvan finder

References

www.wordfence.com/...-6b79-4bf1-8e77-c8cb836dc0c5?source=cve

plugins.trac.wordpress.org/...s-rest-students-controller.php

plugins.trac.wordpress.org/...llms-rest-users-controller.php

plugins.trac.wordpress.org/...%2Ftrunk&sfp_email=&sfph_mail=

cve.org (CVE-2025-11923)

nvd.nist.gov (CVE-2025-11923)

Download JSON