What the vulnerability does
01Description
The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id.
Explanation of Vulnerability in Simple Terms
02Summary
LearnPress versions up to 4.3.2.1 contain a vulnerability that allows authenticated users to modify course or lesson data without proper authorization checks. An attacker with low-level WordPress access can alter course content, settings, or availability. The vulnerability affects integrity and availability of course materials. Update to a version newer than 4.3.2.1.
What an attacker can do
03Attacker Capabilities
Modify course or lesson data, settings, or availability without proper authorization.
Potential impact on your site
04Site Impact
Course instructors or admins may find course content altered by unauthorized users with basic site access.
Conditions required to exploit
05Prerequisites
Attacker must have a low-level WordPress user account (subscriber or contributor level).
Key dates
06Disclosure timeline
January 7, 2026
CVE published
April 8, 2026
Record updated