CVE-2025-14802: CWE-639 Authorization Bypass Through User-Controlled Key in thimpress LearnPress – WordPress LMS Plugin
CVE-2025-14802 is a medium-severity authorization bypass vulnerability in the LearnPress WordPress LMS plugin affecting versions up to 4. 3. 2. 2. The flaw arises from a mismatch in parameter validation between the DELETE REST API endpoint and its authorization check, allowing authenticated users with teacher-level privileges to delete lesson material files belonging to other teachers. Exploitation requires no user interaction but does require authenticated access with teacher permissions. The vulnerability impacts the integrity and availability of course content but does not affect confidentiality. No known exploits are currently reported in the wild. European organizations using LearnPress for e-learning platforms should prioritize patching or mitigating this issue to prevent unauthorized content deletion. Countries with significant WordPress and e-learning adoption, such as Germany, France, and the UK, are more likely to be affected.
AI Analysis
Technical Summary
CVE-2025-14802 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the LearnPress WordPress LMS plugin, versions up to and including 4.3.2.2. The vulnerability exists in the REST API DELETE endpoint /wp-json/lp/v1/material/{file_id}, which is designed to delete lesson material files. The core issue stems from a parameter mismatch: the DELETE operation uses the file_id parameter from the URL path to identify the file to delete, but the authorization check validates permissions against an item_id parameter supplied in the request body. This discrepancy allows an authenticated user with teacher-level access to craft a DELETE request where they supply their own item_id (passing the authorization check) but specify a different file_id in the URL path, enabling them to delete files uploaded by other teachers. Since the attacker must be authenticated as a teacher, the attack surface is limited to users with elevated privileges but does not require administrator access. The vulnerability impacts the integrity and availability of lesson materials, potentially disrupting course content and user experience. The CVSS v3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, no confidentiality impact, but partial integrity and availability impact. No public exploits are known at this time. The vulnerability was published on January 7, 2026, and no official patch links are currently available, indicating that organizations must monitor vendor updates closely. The issue highlights the importance of consistent parameter validation in REST API endpoints to prevent authorization bypass scenarios.
Potential Impact
For European organizations using the LearnPress plugin to manage e-learning content, this vulnerability poses a risk to the integrity and availability of educational materials. Unauthorized deletion of lesson files by teacher-level users could disrupt course delivery, cause data loss, and degrade the learning experience. Although confidentiality is not directly impacted, the loss or tampering of course content can lead to reputational damage, loss of trust from students and educators, and potential operational downtime. Organizations relying heavily on LearnPress for critical training or certification programs may face significant disruption. Additionally, the vulnerability could be exploited internally by disgruntled employees or malicious insiders with teacher privileges. The medium severity score suggests a moderate risk, but the impact could be amplified in environments with many teacher accounts or insufficient monitoring. European educational institutions, corporate training departments, and e-learning service providers should be particularly vigilant. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.
Mitigation Recommendations
1. Monitor the LearnPress plugin vendor announcements and apply security patches promptly once available to address CVE-2025-14802. 2. Until a patch is released, restrict teacher-level permissions to the minimum necessary, potentially limiting file deletion capabilities or reviewing role assignments to reduce the number of users with such privileges. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious DELETE requests to the /wp-json/lp/v1/material/ endpoint, especially those where the file_id and item_id parameters do not match expected patterns. 4. Enable detailed logging and monitoring of REST API calls related to lesson material management to detect anomalous deletion attempts. 5. Conduct regular audits of user roles and permissions within WordPress to ensure no unauthorized privilege escalation. 6. Educate teachers and administrators about the risk and encourage reporting of unexpected content deletions. 7. Consider isolating critical course content backups and enabling versioning to allow recovery from unauthorized deletions. 8. If feasible, temporarily disable the vulnerable REST API endpoint or restrict access to it via IP whitelisting or authentication enhancements until the patch is applied.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden
CVE-2025-14802: CWE-639 Authorization Bypass Through User-Controlled Key in thimpress LearnPress – WordPress LMS Plugin
Description
CVE-2025-14802 is a medium-severity authorization bypass vulnerability in the LearnPress WordPress LMS plugin affecting versions up to 4. 3. 2. 2. The flaw arises from a mismatch in parameter validation between the DELETE REST API endpoint and its authorization check, allowing authenticated users with teacher-level privileges to delete lesson material files belonging to other teachers. Exploitation requires no user interaction but does require authenticated access with teacher permissions. The vulnerability impacts the integrity and availability of course content but does not affect confidentiality. No known exploits are currently reported in the wild. European organizations using LearnPress for e-learning platforms should prioritize patching or mitigating this issue to prevent unauthorized content deletion. Countries with significant WordPress and e-learning adoption, such as Germany, France, and the UK, are more likely to be affected.
AI-Powered Analysis
Technical Analysis
CVE-2025-14802 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the LearnPress WordPress LMS plugin, versions up to and including 4.3.2.2. The vulnerability exists in the REST API DELETE endpoint /wp-json/lp/v1/material/{file_id}, which is designed to delete lesson material files. The core issue stems from a parameter mismatch: the DELETE operation uses the file_id parameter from the URL path to identify the file to delete, but the authorization check validates permissions against an item_id parameter supplied in the request body. This discrepancy allows an authenticated user with teacher-level access to craft a DELETE request where they supply their own item_id (passing the authorization check) but specify a different file_id in the URL path, enabling them to delete files uploaded by other teachers. Since the attacker must be authenticated as a teacher, the attack surface is limited to users with elevated privileges but does not require administrator access. The vulnerability impacts the integrity and availability of lesson materials, potentially disrupting course content and user experience. The CVSS v3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, no confidentiality impact, but partial integrity and availability impact. No public exploits are known at this time. The vulnerability was published on January 7, 2026, and no official patch links are currently available, indicating that organizations must monitor vendor updates closely. The issue highlights the importance of consistent parameter validation in REST API endpoints to prevent authorization bypass scenarios.
Potential Impact
For European organizations using the LearnPress plugin to manage e-learning content, this vulnerability poses a risk to the integrity and availability of educational materials. Unauthorized deletion of lesson files by teacher-level users could disrupt course delivery, cause data loss, and degrade the learning experience. Although confidentiality is not directly impacted, the loss or tampering of course content can lead to reputational damage, loss of trust from students and educators, and potential operational downtime. Organizations relying heavily on LearnPress for critical training or certification programs may face significant disruption. Additionally, the vulnerability could be exploited internally by disgruntled employees or malicious insiders with teacher privileges. The medium severity score suggests a moderate risk, but the impact could be amplified in environments with many teacher accounts or insufficient monitoring. European educational institutions, corporate training departments, and e-learning service providers should be particularly vigilant. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.
Mitigation Recommendations
1. Monitor the LearnPress plugin vendor announcements and apply security patches promptly once available to address CVE-2025-14802. 2. Until a patch is released, restrict teacher-level permissions to the minimum necessary, potentially limiting file deletion capabilities or reviewing role assignments to reduce the number of users with such privileges. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious DELETE requests to the /wp-json/lp/v1/material/ endpoint, especially those where the file_id and item_id parameters do not match expected patterns. 4. Enable detailed logging and monitoring of REST API calls related to lesson material management to detect anomalous deletion attempts. 5. Conduct regular audits of user roles and permissions within WordPress to ensure no unauthorized privilege escalation. 6. Educate teachers and administrators about the risk and encourage reporting of unexpected content deletions. 7. Consider isolating critical course content backups and enabling versioning to allow recovery from unauthorized deletions. 8. If feasible, temporarily disable the vulnerable REST API endpoint or restrict access to it via IP whitelisting or authentication enhancements until the patch is applied.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-16T20:58:27.037Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 695e0d1ea55ed4ed99880fe4
Added to database: 1/7/2026, 7:37:02 AM
Last enriched: 1/14/2026, 3:45:17 PM
Last updated: 2/4/2026, 7:52:30 PM
Views: 38
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-23897: CWE-1333: Inefficient Regular Expression Complexity in apollographql apollo-server
HighCVE-2026-25140: CWE-400: Uncontrolled Resource Consumption in chainguard-dev apko
HighCVE-2026-25122: CWE-400: Uncontrolled Resource Consumption in chainguard-dev apko
MediumCVE-2026-25121: CWE-23: Relative Path Traversal in chainguard-dev apko
HighCVE-2026-0536: CWE-787 Out-of-bounds Write in Autodesk 3ds Max
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.