CVE-2025-11923 HIGH

CVE-2025-11923: LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes - Various Versions - Authenticated (Student+) Privilege Escalation

Vendor Chrisbadgett
Product LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Weakness CWE-269
Published November 13, 2025
Last update November 13, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to privilege escalation. This is due to the plugin not properly validating a user's identity prior to allowing them to modify their own role via the REST API. The permission check in the update_item_permissions_check() function returns true when a user updates their own account without verifying the role changes. This makes it possible for authenticated attackers, with student-level access and above, to escalate their privileges to administrator by updating their own roles array via a crafted REST API request. Another endpoint intended for instructors also provides an attack vector. Affected version ranges are 3.5.3-3.41.2, 4.0.0-4.21.3, 5.0.0-5.10.0, 6.0.0-6.11.0, 7.0.0-7.8.7, 8.0.0-8.0.7, 9.0.0-9.0.7, 9.1.0.

Explanation of Vulnerability in Simple Terms

02Summary

LifterLMS versions 3.5.3 through 3.41.1 contain a privilege management flaw that allows authenticated users with low-level access to gain unauthorized control over site functionality. An attacker with a basic user account can read, modify, or delete sensitive data and disrupt site operations. This affects all installations within the vulnerable version range.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete sensitive data and disrupt site operations with a low-privilege user account.

Potential impact on your site

04Site Impact

Any registered user can escalate their access to perform admin-level actions, compromising course data, student records, and site stability.

Conditions required to exploit

05Prerequisites

Attacker must have a valid user account on the site (low privilege level sufficient).

Key dates

06Disclosure timeline

November 13, 2025 CVE published
November 13, 2025 Record updated