WP Courses LMS < 3.2.4 – Missing Authorization | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized modification of data due to missing capability checks on several functions in the ~/ajax/ajax-lesson-order.php file hooked via AJAX in all versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions such as adding, deleting and renaming lesson modules.

Affects Plugins

Fixed in 3.2.4

References

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1127fe1e-4359-4dff-93a7-392a8bfded51

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Verified

No

WPVDB ID

042552cc-dbdb-42af-ac85-c08972830a3c

Timeline

Publicly Published

2023-11-14 (about 2 years ago)

Added

2024-01-17 (about 2 years ago)

Last Updated

2024-01-17 (about 2 years ago)

Other

Published

Title

Published

2025-08-26

Title

Info Cards < 2.0.0 - Missing Authorization

Published

2025-09-14

Title

WPLMS < 1.9.9.8 - Missing Authorization

Published

2026-02-13

Title

Auto x LINE <= 1.0.0 – Unauthenticated REST API Endpoints Call

Published

2025-12-15

Title

Animation Addons for Elementor < 2.4.6 - Authenticated (Contributor+) Arbitrary Content Deletion

Published

2026-02-18

Title

Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches < 21.0.10 - Missing Authorization to Authenticated (Subscriber+) Email MFA Update