CVE-2025-14802: CWE-639 Authorization Bypass Through User-Controlled Key in thimpress LearnPress – WordPress LMS Plugin
The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id.
AI Analysis
Technical Summary
The LearnPress WordPress LMS plugin, widely used for managing online courses, contains an authorization bypass vulnerability identified as CVE-2025-14802. This vulnerability exists in the REST API endpoint /wp-json/lp/v1/material/{file_id}, which handles deletion of lesson material files. The core issue is a parameter mismatch: the DELETE operation uses the file_id from the URL path to identify the file to delete, but the authorization callback checks permissions against an item_id provided in the request body. Because these parameters are not synchronized, an authenticated user with teacher-level access can supply their own item_id to pass the authorization check while specifying a different file_id in the URL. This allows them to delete files uploaded by other teachers without proper authorization. The vulnerability affects all versions up to and including 4.3.2.2 of LearnPress. The CVSS v3.1 base score is 5.4, reflecting medium severity, with attack vector being network, low attack complexity, requiring privileges (teacher role), no user interaction, and impacting integrity and availability but not confidentiality. No public exploits have been reported yet, but the flaw could be leveraged to disrupt course content by deleting critical lesson materials. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key).
Potential Impact
For European organizations using LearnPress to deliver online education or training, this vulnerability could lead to unauthorized deletion of lesson materials by malicious or careless teachers with authenticated access. This compromises the integrity and availability of educational content, potentially disrupting learning activities and causing reputational damage. In regulated sectors such as education, healthcare, or government training, loss of critical instructional data could also lead to compliance issues. Since the vulnerability requires only teacher-level privileges, insider threats or compromised teacher accounts pose a significant risk. The impact is primarily on content integrity and availability rather than confidentiality, but the disruption could affect operational continuity and user trust. Organizations relying heavily on LearnPress for e-learning platforms should consider this a moderate risk that could escalate if exploited at scale.
Mitigation Recommendations
Immediate mitigation involves updating the LearnPress plugin to a version where this vulnerability is patched once available. Until an official patch is released, organizations should implement strict access controls limiting teacher-level privileges to trusted users only. Monitoring and logging DELETE requests to the /wp-json/lp/v1/material/{file_id} endpoint can help detect suspicious activity. Web Application Firewalls (WAFs) can be configured to block anomalous DELETE requests where the file_id and item_id parameters mismatch. Additionally, consider disabling or restricting REST API access for teacher roles if feasible. Regular backups of lesson materials should be maintained to enable recovery from unauthorized deletions. Educate teachers about the risk of credential compromise and enforce strong authentication mechanisms such as MFA to reduce the risk of account takeover. Finally, conduct security reviews of custom plugins or integrations that interact with LearnPress REST API endpoints.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2025-14802: CWE-639 Authorization Bypass Through User-Controlled Key in thimpress LearnPress – WordPress LMS Plugin
Description
The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id.
AI-Powered Analysis
Technical Analysis
The LearnPress WordPress LMS plugin, widely used for managing online courses, contains an authorization bypass vulnerability identified as CVE-2025-14802. This vulnerability exists in the REST API endpoint /wp-json/lp/v1/material/{file_id}, which handles deletion of lesson material files. The core issue is a parameter mismatch: the DELETE operation uses the file_id from the URL path to identify the file to delete, but the authorization callback checks permissions against an item_id provided in the request body. Because these parameters are not synchronized, an authenticated user with teacher-level access can supply their own item_id to pass the authorization check while specifying a different file_id in the URL. This allows them to delete files uploaded by other teachers without proper authorization. The vulnerability affects all versions up to and including 4.3.2.2 of LearnPress. The CVSS v3.1 base score is 5.4, reflecting medium severity, with attack vector being network, low attack complexity, requiring privileges (teacher role), no user interaction, and impacting integrity and availability but not confidentiality. No public exploits have been reported yet, but the flaw could be leveraged to disrupt course content by deleting critical lesson materials. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key).
Potential Impact
For European organizations using LearnPress to deliver online education or training, this vulnerability could lead to unauthorized deletion of lesson materials by malicious or careless teachers with authenticated access. This compromises the integrity and availability of educational content, potentially disrupting learning activities and causing reputational damage. In regulated sectors such as education, healthcare, or government training, loss of critical instructional data could also lead to compliance issues. Since the vulnerability requires only teacher-level privileges, insider threats or compromised teacher accounts pose a significant risk. The impact is primarily on content integrity and availability rather than confidentiality, but the disruption could affect operational continuity and user trust. Organizations relying heavily on LearnPress for e-learning platforms should consider this a moderate risk that could escalate if exploited at scale.
Mitigation Recommendations
Immediate mitigation involves updating the LearnPress plugin to a version where this vulnerability is patched once available. Until an official patch is released, organizations should implement strict access controls limiting teacher-level privileges to trusted users only. Monitoring and logging DELETE requests to the /wp-json/lp/v1/material/{file_id} endpoint can help detect suspicious activity. Web Application Firewalls (WAFs) can be configured to block anomalous DELETE requests where the file_id and item_id parameters mismatch. Additionally, consider disabling or restricting REST API access for teacher roles if feasible. Regular backups of lesson materials should be maintained to enable recovery from unauthorized deletions. Educate teachers about the risk of credential compromise and enforce strong authentication mechanisms such as MFA to reduce the risk of account takeover. Finally, conduct security reviews of custom plugins or integrations that interact with LearnPress REST API endpoints.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-16T20:58:27.037Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 695e0d1ea55ed4ed99880fe4
Added to database: 1/7/2026, 7:37:02 AM
Last enriched: 1/7/2026, 7:51:42 AM
Last updated: 1/8/2026, 12:17:23 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2024-1574: CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in Mitsubishi Electric Iconics Digital Solutions GENESIS64
MediumCVE-2024-1573: CWE-306 Missing Authentication for Critical Function in Mitsubishi Electric Iconics Digital Solutions GENESIS64
MediumThe State of Trusted Open Source
MediumCVE-2024-1182: CWE-427 Uncontrolled Search Path Element in Mitsubishi Electric Iconics Digital Solutions GENESIS64
HighCVE-2025-66001: CWE-295: Improper Certificate Validation in SUSE neuvector
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.