LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes < 7.8.6 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion | CVE 2024-12596 | Plugin Vulnerabilities

Description

The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to arbitrary post deletion due to a missing capability check on the 'llms_delete_cert' action in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.

Affects Plugins

Fixed in 7.8.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8e75a03b-7552-4228-a4d0-13c78d20f6d5

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

5cde336b-f0ee-41dd-a294-6ede0bab9fb8

Timeline

Publicly Published

2024-12-17 (about 1 year ago)

Added

2024-12-17 (about 1 year ago)

Last Updated

2024-12-18 (about 1 year ago)

Other

Published

Title

Published

2025-10-30

Title

Frontend File Manager < 23.3 - Missing Authorization

Published

2024-04-22

Title

Secure Copy Content Protection and Content Locking < 3.7.2 - Missing Authorization

Published

2025-10-04

Title

IgnitionDeck <= 2.0.10 - Missing Authorization

Published

2025-04-01

Title

JS Job Manager <= 2.0.2 - Missing Authorization

Published

2025-12-20

Title

WP JobHunt <= 7.7 - Missing Authorization to Authenticated (Candidate+) Stored Cross-Site Scripting via 'status'