CVE-2025-14802: CWE-639 Authorization Bypass Through User-Controlled Key in thimpress LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id.
AI Analysis
Technical Summary
The LearnPress WordPress LMS Plugin suffers from an authorization bypass vulnerability (CWE-639) in its REST API DELETE endpoint for lesson materials. The endpoint uses the file_id parameter from the URL path to identify the file to delete, but the permission callback incorrectly validates authorization based on item_id from the request body. Authenticated users with teacher privileges can exploit this mismatch by providing their own item_id to pass authorization checks while specifying another teacher's file_id in the URL, thereby deleting files they should not have access to. This vulnerability affects versions up to and including 4.3.2.2.
Potential Impact
An authenticated user with teacher-level privileges can delete arbitrary lesson material files uploaded by other teachers. This results in unauthorized modification of course content, causing integrity and availability impacts on the affected LMS materials. There is no indication of confidentiality impact. The CVSS score is 5.4 (medium severity), reflecting low attack complexity and limited privileges required but no confidentiality loss.
Mitigation Recommendations
Patch status is not yet confirmed — no official patch or vendor advisory is provided in the available data. Users should monitor the vendor's official channels for updates and apply any forthcoming patches promptly. Until a fix is available, restrict teacher-level access to trusted users only and consider disabling or restricting access to the vulnerable REST API endpoint if possible.
CVE-2025-14802: CWE-639 Authorization Bypass Through User-Controlled Key in thimpress LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
Description
The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The LearnPress WordPress LMS Plugin suffers from an authorization bypass vulnerability (CWE-639) in its REST API DELETE endpoint for lesson materials. The endpoint uses the file_id parameter from the URL path to identify the file to delete, but the permission callback incorrectly validates authorization based on item_id from the request body. Authenticated users with teacher privileges can exploit this mismatch by providing their own item_id to pass authorization checks while specifying another teacher's file_id in the URL, thereby deleting files they should not have access to. This vulnerability affects versions up to and including 4.3.2.2.
Potential Impact
An authenticated user with teacher-level privileges can delete arbitrary lesson material files uploaded by other teachers. This results in unauthorized modification of course content, causing integrity and availability impacts on the affected LMS materials. There is no indication of confidentiality impact. The CVSS score is 5.4 (medium severity), reflecting low attack complexity and limited privileges required but no confidentiality loss.
Mitigation Recommendations
Patch status is not yet confirmed — no official patch or vendor advisory is provided in the available data. Users should monitor the vendor's official channels for updates and apply any forthcoming patches promptly. Until a fix is available, restrict teacher-level access to trusted users only and consider disabling or restricting access to the vulnerable REST API endpoint if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-16T20:58:27.037Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 695e0d1ea55ed4ed99880fe4
Added to database: 1/7/2026, 7:37:02 AM
Last enriched: 4/9/2026, 4:52:58 PM
Last updated: 5/8/2026, 8:47:37 AM
Views: 129
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.