CVE-2025-2290: 
WordPress vulnerability analysis and mitigation

The LifterLMS WordPress plugin (versions up to and including 8.0.1) contains a vulnerability identified as CVE-2025-2290. This security flaw stems from a missing capability check in the deleteaccessplan function and related AJAX calls. The vulnerability was disclosed on March 19, 2025, and affects the core functionality of the LifterLMS plugin, which is used for creating and managing online courses and quizzes in WordPress (NVD Database).

The vulnerability is classified as a Missing Authorization issue (CWE-862) where the plugin fails to properly validate user capabilities before executing certain functions. The CVSS v3.1 base score is 5.3 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability can be exploited remotely without requiring privileges or user interaction (NVD Database).

When exploited, this vulnerability allows unauthenticated attackers to change the status of any published post to 'Trash', effectively enabling them to limit the availability of the website's content. This can significantly impact the accessibility of course materials and other content managed through the LifterLMS plugin (NVD Database).

A fix has been implemented in the plugin's code, as evidenced by changes in the AJAX handler class. The patch adds proper capability checks before allowing access to sensitive functions. Users should update their LifterLMS plugin to a version newer than 8.0.1 to protect against this vulnerability (WordPress Plugin).