← Back

CVE-2025-2290

nvd nist
Published: Mar 19, 2025Modified: Jul 11, 2025

JSON object

Loading...
5.3
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Exploitability: 3.9 / Impact: 1.4
Source: security@wordfence.com (Secondary)

Description

The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to Unauthenticated Post Trashing due to a missing capability check on the delete_access_plan function and the related AJAX calls in all versions up to, and including, 8.0.1. This makes it possible for unauthenticated attackers to change status to "Trash" for every published post, therefore limiting the availability of the website's content.

Affected (1)

Products: Lifterlms: Lifterlms
Lifterlms
1 product
Lifterlms
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Lifterlms
Before 8.0.2

Related CWEs

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

Source: security@wordfence.com
Patch
Source: security@wordfence.com
Third Party Advisory

Timeline

No history available yet.