CVE-2025-11923
📋 TL;DR
The LifterLMS WordPress plugin contains a privilege escalation vulnerability that allows authenticated users with student-level access or higher to elevate their privileges to administrator. Attackers can exploit this by sending crafted REST API requests to modify their own user role. This affects all WordPress sites running vulnerable versions of the LifterLMS plugin.
💻 Affected Systems
- LifterLMS WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise where any authenticated user becomes administrator, enabling data theft, malware installation, and full control over the WordPress installation.
Likely Case
Attackers with student accounts escalate to administrator privileges, potentially modifying content, stealing sensitive data, or installing backdoors.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place to detect and block privilege escalation attempts.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via REST API calls. Public proof-of-concept code is available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after those listed as vulnerable
Vendor Advisory: https://wordpress.org/plugins/lifterlms/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find LifterLMS and check if update is available. 4. Click 'Update Now' to install the latest version. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable REST API for unauthenticated users
allRestrict REST API access to authenticated users only to reduce attack surface
Add to wp-config.php: define('REST_API_AUTH', true);
Temporarily disable LifterLMS plugin
linuxDisable the vulnerable plugin until patching is possible
wp plugin deactivate lifterlms
🧯 If You Can't Patch
- Implement strict network access controls to limit REST API access to trusted IPs only
- Enable detailed logging of user role changes and monitor for suspicious privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check LifterLMS plugin version in WordPress admin under Plugins → Installed PluginsCheck Version:
wp plugin get lifterlms --field=versionVerify Fix Applied:
Verify plugin version is not in the affected ranges listed above📡 Detection & Monitoring
Log Indicators:
- REST API requests to /wp-json/llms/v1/students/* or /wp-json/llms/v1/users/* with role modification parameters
- User role changes from student/instructor to administrator
Network Indicators:
- POST requests to LifterLMS REST endpoints with role parameter modifications
SIEM Query:
source="wordpress" AND (uri_path="/wp-json/llms/v1/students/*" OR uri_path="/wp-json/llms/v1/users/*") AND http_method="POST" AND request_body CONTAINS "role"🔗 References
- https://plugins.trac.wordpress.org/browser/lifterlms/trunk/libraries/lifterlms-rest/includes/abstracts/class-llms-rest-users-controller.php#L721
- https://plugins.trac.wordpress.org/browser/lifterlms/trunk/libraries/lifterlms-rest/includes/server/class-llms-rest-students-controller.php#L386
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3393703%40lifterlms%2Ftrunk&old=3388956%40lifterlms%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cc13d13c-6b79-4bf1-8e77-c8cb836dc0c5?source=cve
