LearnPress WordPress LMS Plugin Unauthorized File Deletion Vulnerability

A vulnerability allowing unauthorized file deletion has been identified in the LearnPress WordPress LMS Plugin, affecting versions through 4.3.2.2. The issue arises in the /wp-json/lp/v1/material/{file_id} REST API endpoint, where a mismatch between the DELETE operation and authorization check allows authenticated attackers with teacher-level access to delete lesson material files uploaded by other teachers. Exploitation involves sending a DELETE request with a valid item_id to bypass authorization while targeting another teacher's file_id.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of lesson material files, potentially disrupting course content and resources for both instructors and students.

Reproduction

To reproduce this vulnerability, an authenticated user with teacher-level access can send a DELETE request to the /wp-json/lp/v1/material/{file_id} endpoint. The request must include a valid item_id in the request body to pass the authorization check, while the file_id in the URL path can correspond to a file uploaded by another teacher. This mismatch in the authorization process enables the deletion of arbitrary files.

Remediation

Users are advised to update the LearnPress WordPress LMS Plugin to version 4.3.2.2 or a newer patched version.