LearnPress – WordPress LMS Plugin < 4.3.2.2 – Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material Deletion | CVE 2025-14802 | Plugin Vulnerabilities

Description

The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id.

Affects Plugins

Fixed in 4.3.2.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/884c4508-1ee1-4384-9fc2-29e2c9042426

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Deniz Mert (dennywise)

Verified

No

WPVDB ID

af7af465-fb16-4096-85d6-0828047719a9

Timeline

Publicly Published

2026-01-06 (about 4 months ago)

Added

2026-01-06 (about 4 months ago)

Last Updated

2026-01-07 (about 4 months ago)

Other

Published

Title

Published

2024-10-14

Title

WP 2FA with Telegram < 3.1 - Authenticated (Subscriber+) Authentication Bypass

Published

2025-04-30

Title

WordPress Simple PayPal Shopping Cart < 5.1.4 - Insecure Direct Object Reference

Published

2024-11-11

Title

Futurio Extra < 2.0.14 - Authenticated (Contributor+) Post Disclosure

Published

2026-02-23

Title

Really Simple Security Pro < 9.5.4.1 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2026-01-07

Title

Image Slider Slideshow <= 1.8 - Authenticated (Contributor+) Insecure Direct Object Reference