What the vulnerability does
01Description
The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to privilege escalation. This is due to the plugin not properly validating a user's identity prior to allowing them to modify their own role via the REST API. The permission check in the update_item_permissions_check() function returns true when a user updates their own account without verifying the role changes. This makes it possible for authenticated attackers, with student-level access and above, to escalate their privileges to administrator by updating their own roles array via a crafted REST API request. Another endpoint intended for instructors also provides an attack vector. Affected version ranges are 3.5.3-3.41.2, 4.0.0-4.21.3, 5.0.0-5.10.0, 6.0.0-6.11.0, 7.0.0-7.8.7, 8.0.0-8.0.7, 9.0.0-9.0.7, 9.1.0.
Explanation of Vulnerability in Simple Terms
02Summary
LifterLMS versions 3.5.3 through 3.41.1 contain a privilege management flaw that allows authenticated users with low-level access to gain unauthorized control over site functionality. An attacker with a basic user account can read, modify, or delete sensitive data and disrupt site operations. This affects all installations within the vulnerable version range.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete sensitive data and disrupt site operations with a low-privilege user account.
Potential impact on your site
04Site Impact
Any registered user can escalate their access to perform admin-level actions, compromising course data, student records, and site stability.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account on the site (low privilege level sufficient).
Key dates
06Disclosure timeline
November 13, 2025
CVE published
November 13, 2025
Record updated