Critical Security Update: Please Update to LifterLMS 9.1.1

Release Date: November 11, 2025
Primary Patched Version: 9.1.1
Severity: 8.8 (High)

We’ve released a critical security update for LifterLMS.

It’s important that you update the core LifterLMS plugin to the latest version, LifterLMS 9.1.1 (or higher), or one of the patched major versions (see below).

What Happened

A security researcher recently identified a vulnerability affecting versions of LifterLMS prior to 9.1.1. It has been classified as critical, and we strongly recommend updating immediately.

All versions of LifterLMS prior to 9.1.1 are vulnerable to a severe security flaw. Sites that have not updated to version 9.1.1 or higher, or are not explicitly blocking access to affected parts of the LifterLMS API, are at risk.

This vulnerability allows any enrolled student to escalate their privileges to administrator, granting them full control over your site, including the ability to execute arbitrary PHP code.

If exploited, an attacker could completely compromise your WordPress installation, altering content, stealing data, installing malware, or destroying your site.

To protect your site, update to LifterLMS 9.1.1 or later immediately and ensure API access is properly restricted.

LifterLMS 9.1.1 includes a patch that fully resolves the issue and strengthens internal permission validation and access control routines.

Who Is Affected

All sites running LifterLMS versions prior to 9.1.1 should update to version 9.1.1 (or later) or one of the patched versions.

  1. Update The Core LifterLMS Plugin Immediately. Go to Dashboard → Plugins and update the core LifterLMS plugin to version 9.1.1 or higher. Verify the version number after updating.
    • If for some reason you cannot upgrade LifterLMS, you can use this Cloudflare rule as a temporary measure to block access to the vulnerable endpoints.
    • If for any reason you cannot update to LifterLMS 9.1.1 or higher, security patches have been shipped to the highest point release in each major version. The following versions are being released with the patch:
      • 9.1.1 (latest major)
      • 9.0.8
      • 8.0.8
      • 7.8.8
      • 6.11.1
      • 5.10.1
      • 4.21.4
      • 3.41.2
    • We have worked with the WordPress.org plugins team to push out the updates as quickly as possible, while minimizing any impact to your site. If you are already running one of the versions listed above, the security flaw has been fixed.
  2. Review Administrator Accounts. Double-check your WordPress admin users and remove or demote any accounts that no longer require administrative access.
  3. Audit LMS Roles. Review and confirm access levels for LMS Manager, Instructor, and Instructor Assistant roles to ensure only trusted users have elevated permissions.
  4. Stay Up to Date. Keep all plugins, themes, and WordPress core updated to their latest versions.
  5. Update or deactivate the LifterLMS REST API Plugin. If you are running the REST API plugin separately for testing purposes, ensure you install the latest version or deactivate the plugin to use the version bundled in LifterLMS core.

Best Security Practices Going Forward

Here are some best practices for keeping your WordPress LMS website secure on an ongoing basis:

  • Keep all plugins, themes, and WordPress core up to date.
  • Restrict database credentials to the least privilege necessary.
  • Enable a Web Application Firewall (WAF) where possible.
  • Run regular penetration tests or vulnerability scans.
  • Regularly audit users with privileged roles on your site

We’re Here to Help

We understand the seriousness of software security updates and are here to support you through this process.

Our Commitment to You

Your security is our top priority. We apologize for any inconvenience this may cause and appreciate your prompt attention to this matter. Thank you for your understanding and for being a valued member of the LifterLMS community.

Please take these steps as soon as possible to ensure the continued security of your site and user data. Contact the LifterLMS support team with any questions.

LifterLMS is constantly releasing new features, updates, and security upgrades. It’s important to keep your software up to date.

Chris Badgett

About the Author: Chris Badgett

Chris Badgett is the founder and CEO of LifterLMS, a learning management system for WordPress. He is an expert in the best WordPress LMS plugins. Chris helps education entrepreneurs create, launch, and scale high-value online courses and training-based membership websites. He believes in democratizing education in the digital classroom and contributing as much as possible to the open-source WordPress community.