CVE-2025-14802 MEDIUM

CVE-2025-14802: LearnPress – WordPress LMS Plugin <= 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material Deletion

Vendor Thimpress
Product LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
Weakness CWE-639 · IDOR
Published January 7, 2026
Last update April 8, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id.

Explanation of Vulnerability in Simple Terms

02Summary

LearnPress versions up to 4.3.2.1 contain a vulnerability that allows authenticated users to modify course or lesson data without proper authorization checks. An attacker with low-level WordPress access can alter course content, settings, or availability. The vulnerability affects integrity and availability of course materials. Update to a version newer than 4.3.2.1.

What an attacker can do

03Attacker Capabilities

Modify course or lesson data, settings, or availability without proper authorization.

Potential impact on your site

04Site Impact

Course instructors or admins may find course content altered by unauthorized users with basic site access.

Conditions required to exploit

05Prerequisites

Attacker must have a low-level WordPress user account (subscriber or contributor level).

Key dates

06Disclosure timeline

January 7, 2026 CVE published
April 8, 2026 Record updated