CVE-2025-11923: 
WordPress vulnerability analysis and mitigation

CVE-2025-11923 affects the LifterLMS WordPress plugin, a platform for eLearning, Online Courses, and Quizzes. The vulnerability was discovered and reported by researcher shark3y and was published on November 12, 2025. The issue affects multiple version ranges including 3.5.3-3.41.2, 4.0.0-4.21.3, 5.0.0-5.10.0, 6.0.0-6.11.0, 7.0.0-7.8.7, 8.0.0-8.0.7, 9.0.0-9.0.7, and 9.1.0 (NVD).

The vulnerability is classified as a privilege escalation issue with a CVSS v3.1 base score of 8.8 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The core issue stems from improper validation of user identity in the REST API, specifically in the update_item_permissions_check() function. The function returns true when a user updates their own account without properly verifying role changes (Wordfence).

The vulnerability allows authenticated attackers with student-level access or higher to escalate their privileges to administrator level. This is achieved by updating their own roles array through a crafted REST API request. Additionally, an endpoint intended for instructors provides another attack vector for privilege escalation (NVD).

A security patch has been released in version 9.1.1 of the LifterLMS plugin. The update fixes the security issue where student and instructor REST APIs could be used to modify roles incorrectly (WordPress Plugin).