AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2025-11923: The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to privilege escalati

highvulnerability

security

Source: NVD/CVE DatabaseNovember 13, 2025CVE-2025-11923

Summary

The LifterLMS WordPress plugin has a privilege escalation vulnerability (CVE-2025-11923) where the plugin fails to properly verify user identity before allowing role changes through the REST API (a standard way for programs to communicate and exchange data). This allows attackers with student-level access to promote themselves to administrator by sending a specially crafted request to modify their own role. The vulnerability affects multiple versions of the plugin ranging from 3.5.3 through 9.1.0.

Vulnerability Details

CVSS Score

8.8(high)

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-269

CAPEC (Attack Pattern)

CAPEC-122

Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-11923

First tracked: February 15, 2026 at 08:37 PM

Classified by LLM (prompt v3) · confidence: 95%