The LearnPress plugin for WordPress, widely used for managing online learning content, contains a critical authorization bypass vulnerability identified as CVE-2025-14802. This vulnerability exists in the REST API endpoint /wp-json/lp/v1/material/{file_id}, which handles deletion of lesson material files. The DELETE operation uses the file_id parameter from the URL path to identify the target file for deletion. However, the authorization check incorrectly validates permissions against the item_id parameter supplied in the request body rather than the file_id. This parameter mismatch allows an authenticated user with teacher-level privileges to craft a DELETE request where the item_id corresponds to a resource they are authorized to manage, but the file_id targets a different teacher's file. As a result, the attacker can delete arbitrary lesson materials uploaded by other teachers without proper authorization. The vulnerability affects all versions up to and including 4.3.2.2 of LearnPress. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) indicates network exploitability with low attack complexity, requiring privileges but no user interaction, and impacts integrity and availability without affecting confidentiality. No public exploits are known at this time, but the flaw poses a significant risk to the integrity and availability of educational content managed via LearnPress.

This vulnerability can have a substantial impact on organizations using LearnPress to deliver online courses. Unauthorized deletion of lesson materials can disrupt course delivery, degrade the learning experience, and cause data loss. Educational institutions, training providers, and enterprises relying on LearnPress for LMS functionality may face operational interruptions and reputational damage. Since the exploit requires only teacher-level authentication, insider threats or compromised teacher accounts can be leveraged to cause damage. The integrity of course content is compromised, and availability is affected as critical learning materials may be removed without trace. Although confidentiality is not impacted, the loss of educational resources can lead to significant remediation efforts and potential financial costs associated with content restoration and incident response.

To mitigate this vulnerability, organizations should immediately update LearnPress to a patched version once available from the vendor. In the absence of an official patch, administrators can implement the following specific mitigations: 1) Restrict teacher-level permissions to only trusted users and monitor their activities closely. 2) Employ Web Application Firewalls (WAF) with custom rules to detect and block DELETE requests to /wp-json/lp/v1/material/ endpoints where the file_id and item_id parameters mismatch. 3) Conduct regular audits of REST API usage logs to identify suspicious deletion attempts. 4) Disable or restrict REST API access for users who do not require it, especially for deletion operations. 5) Consider implementing additional authorization checks via custom code or plugins that validate the file_id against the authenticated user's permissions before allowing deletion. 6) Educate teachers and administrators about the risks of credential compromise and enforce strong authentication mechanisms such as MFA. These targeted actions go beyond generic advice and address the specific nature of the vulnerability.