CVE-2025-14802
LearnPress – WordPress LMS Plugin <= 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material DeletionThe LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id.
We have discovered 9,060 live websites that are affected by CVE-2025-14802.
Affected Software
| Product | |
| Category | Learning Management System |
| Vulnerable Domains | 9,060 live websites (92% of LearnPress install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 150 versions ( 98% of all versions) |
Common Weakness Enumeration
CWE-639 Authorization Bypass Through User-Controlled KeyDetails
- Published - Jan 7, 2026
- Updated - Jan 7, 2026
Credits
- Deniz Mert (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-14802 United States | 2,490 websites |
 Germany | 631 websites |
 India | 497 websites |
 France | 384 websites |
 Spain | 381 websites |
 Italy | 355 websites |
 GB | 343 websites |
 Cyprus | 320 websites |
 Brazil | 248 websites |
 Poland | 229 websites |
Website Distribution by TLD
Number of websites using CVE-2025-14802| .com | 3,910 websites |
| .org | 679 websites |
| .it | 237 websites |
| .com.br | 206 websites |
| .de | 203 websites |
| .net | 202 websites |
| .pl | 158 websites |
| .es | 157 websites |
| .fr | 139 websites |
| .ru | 133 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-14802
Top websites that are affected by CVE-2025-14802. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.center | Germany | **,*** | |
| ******.***.uk | GB | ***,*** | |
| **************************.org | United States | ***,*** | |
| **************.com | United States | ***,*** | |
| ************.org | United States | ***,*** | |
| ********************.fr | France | ***,*** | |
| ***********.*********.com | United States | ***,*** | |
| *******.****.br | Brazil | ***,*** | |
| ********.***.my | United States | ***,*** | |
| ******************.com | United States | ***,*** |
FAQ
CVE-2025-14802 is Authorization Bypass Through User-Controlled Key in LearnPress
A total of 9,060 websites have been identified as vulnerable to CVE-2025-14802, based on global website indexing conducted by WebTechSurvey.
The LearnPress is affected by the CVE-2025-14802 vulnerability.
LearnPress versions up to and including 4.3.2.1 are vulnerable to CVE-2025-14802.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/884c4508-1ee1-4384-9fc2-29e2c9042426?source=cve
- https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L527
- https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L405
- https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L77
- https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.3/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L403