Description
The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id.
Published: 2026-01-07
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated file deletion by teachers
Action: Patch
AI Analysis

Impact

The LearnPress WordPress LMS plugin is vulnerable to an insecure direct object reference that permits a teacher‑level user to delete lesson material belonging to another teacher. The flaw originates from a mismatch between the DELETE REST API endpoint and the authorization check: the endpoint extracts the target file identifier from the URL path, while the permission check validates a different ID supplied in the request body. This allows an authenticated teacher to craft a DELETE request with their own item_id value to pass authorization and target another teacher’s file_id, leading to unauthorized file deletion. As a result, legitimate instructional resources can be removed, disrupting course delivery and damaging educators’ confidence in the platform.

Affected Systems

All installations of the Thimpress LearnPress WordPress LMS plugin on WordPress sites that run any version up to and including 4.3.2.2 are affected. The vulnerability is triggered by the REST API endpoint "/wp-json/lp/v1/material/{file_id}". Versions 4.3.2.3 and later are not known to contain the flaw.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score is below 1 %, suggesting a very low exploitation probability under current conditions. The vulnerability is not listed in the CISA KEV catalog. An attacker needs only to be authenticated with teacher‑level privileges and to be able to make a DELETE request to the exposed endpoint. Once those prerequisites are met, the attacker can delete any material file owned by another teacher, potentially erasing course content and compromising instructional integrity.

Generated by OpenCVE AI on April 22, 2026 at 00:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LearnPress to version 4.3.2.3 or newer, which aligns the authorization check with the file identifier used in the URL.
  • If an upgrade is not immediately feasible, restrict the "/wp-json/lp/v1/material/{file_id}" endpoint to administrators only or add a custom permission filter that confirms the material belongs to the requesting teacher.
  • Monitor the REST endpoint for abnormal DELETE requests and block or alert on traffic that attempts to delete files outside the user’s ownership.

Generated by OpenCVE AI on April 22, 2026 at 00:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Thimpress
Thimpress learnpress
Wordpress
Wordpress wordpress
Vendors & Products Thimpress
Thimpress learnpress
Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 07:30:00 +0000

Type Values Removed Values Added
Description The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id.
Title LearnPress – WordPress LMS Plugin <= 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material Deletion
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Thimpress Learnpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:15.500Z

Reserved: 2025-12-16T20:58:27.037Z

Link: CVE-2025-14802

cve-icon Vulnrichment

Updated: 2026-01-07T14:50:47.327Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:56.477

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14802

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:15:03Z

Weaknesses