{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2290", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-13T16:43:28.074Z", "datePublished": "2025-03-19T04:21:05.815Z", "dateUpdated": "2026-04-08T16:52:01.235Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:01.235Z"}, "affected": [{"vendor": "chrisbadgett", "product": "LifterLMS \u2013 WP LMS for eLearning, Online Courses, & Quizzes", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LifterLMS \u2013 WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to Unauthenticated Post Trashing due to a missing capability check on the delete_access_plan function and the related AJAX calls in all versions up to, and including, 8.0.1. This makes it possible for unauthenticated attackers to change status to \"Trash\" for every published post, therefore limiting the availability of the website's content."}], "title": "LifterLMS <= 8.0.1 - Missing Authorization to Unauthenticated Post Trashing", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f64dbf2-b75a-4a35-9b4e-413b8fd1fff0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3257328/lifterlms/trunk/includes/class.llms.ajax.handler.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-03-13T00:00:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-03-18T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-19T14:03:24.818201Z", "id": "CVE-2025-2290", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-19T14:03:46.870Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2290", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-19T14:03:24.818201Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-19T14:03:39.001Z"}}], "cna": {"title": "LifterLMS <= 8.0.1 - Missing Authorization to Unauthenticated Post Trashing", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "chrisbadgett", "product": "LifterLMS \u2013 WP LMS for eLearning, Online Courses, & Quizzes", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "8.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-13T00:00:00.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-03-18T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f64dbf2-b75a-4a35-9b4e-413b8fd1fff0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3257328/lifterlms/trunk/includes/class.llms.ajax.handler.php"}], "descriptions": [{"lang": "en", "value": "The LifterLMS \u2013 WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to Unauthenticated Post Trashing due to a missing capability check on the delete_access_plan function and the related AJAX calls in all versions up to, and including, 8.0.1. This makes it possible for unauthenticated attackers to change status to \"Trash\" for every published post, therefore limiting the availability of the website's content."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-19T04:21:05.815Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2290", "state": "PUBLISHED", "dateUpdated": "2025-03-19T14:03:46.870Z", "dateReserved": "2025-03-13T16:43:28.074Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-19T04:21:05.815Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lifterlms:lifterlms:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A7592D4A-F1A1-4102-8807-08FC59F1A16B", "versionEndExcluding": "8.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The LifterLMS \u2013 WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to Unauthenticated Post Trashing due to a missing capability check on the delete_access_plan function and the related AJAX calls in all versions up to, and including, 8.0.1. This makes it possible for unauthenticated attackers to change status to \"Trash\" for every published post, therefore limiting the availability of the website's content."}, {"lang": "es", "value": "El complemento LifterLMS \u2013 WP LMS for eLearning, Online Courses, &amp; Quizzes para WordPress es vulnerable al borrado de entradas no autenticadas debido a la falta de comprobaci\u00f3n de capacidad en la funci\u00f3n delete_access_plan y las llamadas AJAX relacionadas en todas las versiones hasta la 8.0.1 incluida. Esto permite que atacantes no autenticados cambien el estado a \"Papelera\" para cada entrada publicada, limitando as\u00ed la disponibilidad del contenido del sitio web."}], "id": "CVE-2025-2290", "lastModified": "2025-07-11T21:23:28.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-03-19T05:15:41.180", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3257328/lifterlms/trunk/includes/class.llms.ajax.handler.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f64dbf2-b75a-4a35-9b4e-413b8fd1fff0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:51:18.902673+00:00", "value": {"mitigation_remediation": ["Upgrade the LifterLMS plugin to a release newer than 8.0.1, which restores the missing capability checks for the delete_access_plan AJAX actions.", "If an immediate upgrade is not possible, add a custom snippet that hooks into wp_ajax_lifterlms_delete_access_plan and returns a 403 response for any user lacking the edit_posts capability.", "As an interim protective measure, configure the site\u2019s web\u2011server or firewall to block unauthenticated requests to the LifterLMS AJAX endpoints in admin\u2011ajax.php."], "summary": {"action": "Immediate Patch", "impact": "Availability disruption"}, "threat_synthesis": {"affected_systems": "Versions of the LifterLMS plugin published by Chris Badgett for WordPress, up to and including 8.0.1, are affected. Newer releases are assumed to contain the fix.", "description_and_impact": "The LifterLMS WordPress plugin contains a missing capability check that permits any unauthenticated user to trigger the delete_access_plan AJAX routine, which moves every published post to the Trash folder. This flaw is identified as CWE\u2011862. The effect is a denial of service or content loss, compromising the availability of a website\u2019s learning materials.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS probability is below 1%, suggesting limited exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. Attackers would use unauthenticated AJAX calls to trigger deletion, meaning no user credential is required. Despite the low current exploitation likelihood, the impact on content availability warrants prompt remediation."}}}}, "created": "2026-04-21T22:00:26.594991+00:00", "updated": "2026-04-21T22:00:26.595008+00:00", "vendors": []}