CVE-2025-2290 – The LifterLMS WordPress plugin has an unauthent... (How to Fix)

Q: What is the severity of CVE-2025-2290?

CVE-2025-2290 has a CVSS score of 5.3 (MEDIUM). The LifterLMS WordPress plugin has an unauthenticated post trashing vulnerability that allows attackers without credentials to move all published posts to the trash, making website content unavailable. This affects all WordPress sites using LifterLMS versions up to 8.0.1. The vulnerability stems from missing capability checks in AJAX handlers.

📋 TL;DR

The LifterLMS WordPress plugin has an unauthenticated post trashing vulnerability that allows attackers without credentials to move all published posts to the trash, making website content unavailable. This affects all WordPress sites using LifterLMS versions up to 8.0.1. The vulnerability stems from missing capability checks in AJAX handlers.

💻 Affected Systems

Products:

LifterLMS - WP LMS for eLearning, Online Courses, & Quizzes

Versions: All versions up to and including 8.0.1

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable LifterLMS plugin versions enabled.

📦 What is this software?

Lifterlms by Lifterlms

View all CVEs affecting Lifterlms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

All published content becomes unavailable as posts are moved to trash, causing complete content disruption and potential business impact for e-learning sites.

🟠

Likely Case

Attackers trash published posts, disrupting website content availability and requiring manual restoration from backups.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to temporary content unavailability until restoration.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted AJAX requests to vulnerable endpoints without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.2 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3257328/lifterlms/trunk/includes/class.llms.ajax.handler.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find LifterLMS and click 'Update Now'. 4. Verify version is 8.0.2 or higher.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoints

all

Block access to the vulnerable AJAX handlers via web application firewall or .htaccess rules

# Add to .htaccess:
RewriteCond %{QUERY_STRING} action=delete_access_plan [NC]
RewriteRule .* - [F,L]

🧯 If You Can't Patch

Disable LifterLMS plugin temporarily until patched
Implement strict network access controls to limit AJAX endpoint exposure

🔍 How to Verify

Check if Vulnerable:

Check LifterLMS plugin version in WordPress admin panel under Plugins > Installed Plugins

Check Version:

wp plugin list --name=lifterlms --field=version

Verify Fix Applied:

Confirm LifterLMS version is 8.0.2 or higher and test AJAX endpoints with unauthenticated requests

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /wp-admin/admin-ajax.php with action=delete_access_plan from unauthenticated users
Sudden increase in post status changes to 'trash'

Network Indicators:

Unusual AJAX requests to WordPress admin endpoints from external IPs without authentication

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND "delete_access_plan" AND NOT user_id=*

📊 Metadata

CVE ID: CVE-2025-2290

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

EPSS Score: 0.34% exploit probability (56.3th percentile)

Published: March 19, 2025

Last Updated: July 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2290, you might also want to check these: