{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14802", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-16T20:58:27.037Z", "datePublished": "2026-01-07T07:17:33.170Z", "dateUpdated": "2026-04-08T17:05:15.500Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:15.500Z"}, "affected": [{"vendor": "thimpress", "product": "LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.3.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LearnPress \u2013 WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id."}], "title": "LearnPress \u2013 WordPress LMS Plugin <= 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/884c4508-1ee1-4384-9fc2-29e2c9042426?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L527"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L405"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L77"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.3/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L403"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Deniz Mert"}], "timeline": [{"time": "2025-12-16T21:05:46.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-06T18:42:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T14:50:45.348178Z", "id": "CVE-2025-14802", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T16:13:20.829Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14802", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T14:50:45.348178Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T14:50:47.327Z"}}], "cna": {"title": "LearnPress \u2013 WordPress LMS Plugin <= 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Deniz Mert"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "thimpress", "product": "LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.3.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-16T21:05:46.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-06T18:42:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/884c4508-1ee1-4384-9fc2-29e2c9042426?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L527"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L405"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L77"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.3/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L403"}], "descriptions": [{"lang": "en", "value": "The LearnPress \u2013 WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:15.500Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14802", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:05:15.500Z", "dateReserved": "2025-12-16T20:58:27.037Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-07T07:17:33.170Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LearnPress \u2013 WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id."}], "id": "CVE-2025-14802", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-07T12:16:56.477", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L405"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L527"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L77"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.3/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L403"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/884c4508-1ee1-4384-9fc2-29e2c9042426?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:04:49.687924+00:00", "value": {"mitigation_remediation": ["Upgrade LearnPress to version 4.3.2.3 or newer, which aligns the authorization check with the file identifier used in the URL.", "If an upgrade is not immediately feasible, restrict the \"/wp-json/lp/v1/material/{file_id}\" endpoint to administrators only or add a custom permission filter that confirms the material belongs to the requesting teacher.", "Monitor the REST endpoint for abnormal DELETE requests and block or alert on traffic that attempts to delete files outside the user\u2019s ownership."], "summary": {"action": "Patch", "impact": "Authenticated file deletion by teachers"}, "threat_synthesis": {"affected_systems": "All installations of the Thimpress LearnPress WordPress LMS plugin on WordPress sites that run any version up to and including 4.3.2.2 are affected. The vulnerability is triggered by the REST API endpoint \"/wp-json/lp/v1/material/{file_id}\". Versions 4.3.2.3 and later are not known to contain the flaw.", "description_and_impact": "The LearnPress WordPress LMS plugin is vulnerable to an insecure direct object reference that permits a teacher\u2011level user to delete lesson material belonging to another teacher. The flaw originates from a mismatch between the DELETE REST API endpoint and the authorization check: the endpoint extracts the target file identifier from the URL path, while the permission check validates a different ID supplied in the request body. This allows an authenticated teacher to craft a DELETE request with their own item_id value to pass authorization and target another teacher\u2019s file_id, leading to unauthorized file deletion. As a result, legitimate instructional resources can be removed, disrupting course delivery and damaging educators\u2019 confidence in the platform.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity. The EPSS score is below 1\u202f%, suggesting a very low exploitation probability under current conditions. The vulnerability is not listed in the CISA KEV catalog. An attacker needs only to be authenticated with teacher\u2011level privileges and to be able to make a DELETE request to the exposed endpoint. Once those prerequisites are met, the attacker can delete any material file owned by another teacher, potentially erasing course content and compromising instructional integrity."}}}}, "created": "2026-01-08T09:50:00.070546+00:00", "updated": "2026-04-22T00:15:03.767591+00:00", "vendors": ["thimpress", "thimpress$PRODUCT$learnpress", "wordpress", "wordpress$PRODUCT$wordpress"]}