CVE-2025-14802 Overview
The LearnPress – WordPress LMS Plugin for WordPress contains an unauthorized file deletion vulnerability affecting versions up to and including 4.3.2.2. The flaw exists in the /wp-json/lp/v1/material/{file_id} REST API endpoint due to a critical parameter mismatch between the DELETE operation and its authorization check. Specifically, the endpoint uses file_id from the URL path to determine which file to delete, but the permission callback validates item_id from the request body instead. This inconsistency allows authenticated attackers with teacher-level access to delete arbitrary lesson material files uploaded by other teachers.
Critical Impact
Authenticated attackers with teacher privileges can exploit the authorization bypass to delete other teachers' lesson materials, potentially disrupting educational content and causing data loss across a WordPress LMS platform.
Affected Products
- LearnPress – WordPress LMS Plugin versions up to and including 4.3.2.2
- WordPress sites using vulnerable LearnPress plugin versions
- LMS platforms with teacher-level user accounts
Discovery Timeline
- 2026-01-07 - CVE CVE-2025-14802 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-14802
Vulnerability Analysis
This vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), a type of Insecure Direct Object Reference (IDOR) vulnerability. The fundamental issue stems from a parameter mismatch in how the REST API endpoint handles file deletion requests versus how it verifies authorization.
When a DELETE request is sent to the material endpoint, the system extracts two different parameters from two different locations: the file_id from the URL path determines which file gets deleted, while the item_id from the request body is used to check if the requester has permission to perform the action. This architectural flaw creates an authorization bypass where an attacker can supply their own legitimate item_id to pass the permission check while simultaneously specifying a victim's file_id in the URL to target their files.
The attack requires teacher-level authentication, limiting the attack surface to authenticated users with elevated privileges within the LMS. However, in educational environments where multiple teachers manage course content, this vulnerability poses a significant risk to content integrity and availability.
Root Cause
The root cause is a design flaw in the REST API controller's permission validation logic. The class-lp-rest-material-controller.php file implements separate handling for the file identifier used in the DELETE operation and the item identifier validated in the authorization callback. This disconnection between the resource being accessed and the resource being validated creates an exploitable gap in access control. The permission callback trusts that the item_id in the request body corresponds to the file_id in the URL, but no verification ensures these parameters reference the same ownership context.
Attack Vector
The attack vector is network-based and requires authentication with teacher-level privileges. An attacker would craft a malicious DELETE request to the /wp-json/lp/v1/material/{victim_file_id} endpoint, where {victim_file_id} is the identifier of another teacher's material file. In the request body, the attacker includes their own legitimate item_id which they have permission to modify. The permission callback validates against the attacker's item_id and grants access, while the actual deletion operation targets the victim's file specified in the URL path.
The exploitation process involves:
- The attacker authenticates as a teacher with access to at least one lesson material
- The attacker identifies the file_id of a target file owned by another teacher
- The attacker sends a DELETE request with their own item_id in the body but the victim's file_id in the URL
- The system validates permissions against the attacker's item_id and approves the request
- The system then deletes the file corresponding to the victim's file_id
For detailed code analysis, see the WordPress LearnPress Code Review and the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-14802
Indicators of Compromise
- Unusual DELETE requests to /wp-json/lp/v1/material/ endpoints with mismatched file_id and item_id parameters
- Log entries showing teachers accessing or modifying material files outside their assigned courses
- Reports of missing lesson materials from multiple teachers without legitimate explanations
- Increased volume of DELETE requests to the LearnPress REST API from teacher accounts
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect DELETE requests to LearnPress material endpoints where the authorization context doesn't match the target resource
- Monitor WordPress REST API access logs for patterns of cross-teacher material access attempts
- Deploy intrusion detection signatures to alert on DELETE requests to /wp-json/lp/v1/material/ with request body parameters that don't correlate with URL path parameters
- Review audit logs for file deletion events performed by teachers on content they did not originally upload
Monitoring Recommendations
- Enable detailed logging for all REST API requests to LearnPress endpoints, capturing both URL parameters and request body content
- Configure alerts for any file deletion operations affecting lesson materials owned by users other than the requester
- Implement file integrity monitoring for LearnPress material upload directories to detect unauthorized deletions
- Establish baseline metrics for normal DELETE operation patterns and alert on statistical anomalies
How to Mitigate CVE-2025-14802
Immediate Actions Required
- Update LearnPress plugin to version 4.3.2.3 or later, which contains the security fix
- Audit recent DELETE requests to the LearnPress material API for evidence of exploitation
- Temporarily restrict teacher-level API access if immediate patching is not possible
- Review and restore any lesson materials that may have been inappropriately deleted
Patch Information
The vulnerability has been addressed in LearnPress version 4.3.2.3. The fix ensures that the permission callback properly validates ownership against the same file_id used in the DELETE operation, eliminating the parameter mismatch vulnerability. The patched code can be reviewed in the WordPress Plugin Repository.
Workarounds
- Disable the LearnPress REST API material endpoints if the feature is not essential to operations until patching can be completed
- Implement additional authorization checks at the web server level to validate request consistency before passing to WordPress
- Restrict teacher account creation and privileges to only trusted individuals pending the update
- Use a WordPress security plugin to add custom REST API request validation rules
# Configuration example
# Add to .htaccess to temporarily block vulnerable endpoint
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} DELETE
RewriteCond %{REQUEST_URI} ^/wp-json/lp/v1/material/ [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
