Arbitrary Post Deletion in LifterLMS Plugin for WordPress
CVE-2024-12596

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Lifterlms
Vendor: CVE Published:; 18 December 2024

What is CVE-2024-12596?

The LifterLMS plugin, widely used for creating eLearning platforms on WordPress, contains a vulnerability that allows authenticated users with Subscriber-level access or higher to delete arbitrary posts. This issue arises from a missing capability check on the 'llms_delete_cert' action, present in all versions up to and including 7.8.5. As a result, attackers can exploit this flaw to remove critical content from a site, posing significant risks to data integrity and platform reliability. Immediate attention is required to apply patches and mitigate potential exploitation.

References

https://plugins.trac.wordpress.org/changeset/3208662/lift...

https://www.wordfence.com/threat-intel/vulnerabilities/id...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 18, 2024

Wordpress

What is CVE-2024-12596?

References

CVSS V3.1

Timeline