Critical Vulnerability Information CVE: CVE-2025-11923 CVSS: 8.8 (High) Public Release: November 12, 2025 Last Updated: November 13, 2025 Researcher: shark3y Description By crafting a malicious REST API request to update their own role array, an attacker can escalate their privileges to administrator. Another endpoint specifically designed for teachers also provides an attack vector. Affected versions include: 3.5.3 - 3.41.2, 4.0.0 - 4.21.3, 5.0.0 - 5.10.0, 6.0.0 - 6.11.0, 7.0.0 - 7.8.7, 8.0.0 - 8.0.7, 9.0.0 - 9.0.7, 9.1.0. Wordfence has intercepted 6 attacks targeting this vulnerability in the past 24 hours. References plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org Vulnerability Details Software Type: Plugin Software Slug: lifterlms (view on wordpress.org) Fixed?: Yes Remediation: Upgrade to one of the following versions, or to a newer patched version: 3.41.2, 4.21.4, 5.10.1, 6.11.1, 7.8.8, 8.0.8, 9.0.8, 9.1.1 Affected Versions: 9.1.0, 7.0.0 - 7.8.7, 8.0.0 - 8.0.7, 9.0.0 - 9.0.7 Fixed Versions: 3.41.2, 4.21.4, 5.10.1, 6.11.1