CVE-2025-2290 MEDIUM

CVE-2025-2290: LifterLMS <= 8.0.1 - Missing Authorization to Unauthenticated Post Trashing

Vendor Chrisbadgett
Product LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Weakness CWE-862 · Missing authorization
Published March 19, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to Unauthenticated Post Trashing due to a missing capability check on the delete_access_plan function and the related AJAX calls in all versions up to, and including, 8.0.1. This makes it possible for unauthenticated attackers to change status to "Trash" for every published post, therefore limiting the availability of the website's content.

Explanation of Vulnerability in Simple Terms

02Summary

LifterLMS versions up to 8.0.1 lack proper authorization checks, allowing unauthenticated attackers to modify certain data on the site. The vulnerability requires no special setup or user interaction. Site administrators should update to a version newer than 8.0.1 to prevent unauthorized changes to course or user information.

What an attacker can do

03Attacker Capabilities

Modify course data, user records, or other site content without logging in.

Potential impact on your site

04Site Impact

Attackers can alter course content, student records, or settings without your knowledge or permission.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 19, 2025 CVE published
April 8, 2026 Record updated