It’s important that you update the core LifterLMS plugin to the latest version, LifterLMS 8.0.7 (or higher).
Release date: June 11, 2025
Patched version: LifterLMS 8.0.7
Severity: High (Arbitrary SQL execution)
On most setups, it does not seem that data can be deleted, manipulated, or exposed via this exploit. Even so, we recommend updating immediately.
What happened?
During an audit, it was discovered that, when Open Registration is turned on, the “Have a voucher?” input on the registration form could accept unsanitized data.
An attacker able to reach that field could craft a request that runs arbitrary SQL against your site’s database. No authentication was required beyond being able to load the form.
Timeline
| Date (2025) | Event |
|---|---|
| June 9 | Vulnerability reported internally. |
| June 10 | Root cause confirmed; patch developed and tested. |
| June 11 | Version LifterLMS 8.0.7 released; public advisory (this post, email to users). |
Who is affected?
Websites that are affected have:
- Enabled Open Registration (users can create accounts without manual approval), and
- Show the “Have a voucher?” field on the registration form.
Websites that are not affected have:
- Open Registration turned off
- Removed/disabled the voucher field entirely.
What We Have Done
- Patched release LifterLMS 8.0.7 sanitises and parameterises all voucher queries.
- Added hardening that blocks voucher-field processing unless a voucher code is present.
- Improved unit tests to cover all registration-form inputs.
Recommended Steps For You To Do Right Now
Follow these steps to update your site.
1) Update Your Core LifterLMS Plugin Immediately
Go to Dashboard > Plugins, update LifterLMS to LifterLMS 8.0.7 (or higher).
Verify that the new LifterLMS 8.0.7 (or higher) version number appears under Plugins > LifterLMS.
2) Consider temporarily disabling Open Registration if you can not update immediately.
If you cannot update your core LifterLMS plugin version right away, switch LifterLMS > Settings > Accounts > Open Registration to “No” until you update to LifterLMS 8.0.7 or higher.
3) Audit Recent Activity
Review your server and database logs for unexpected queries or new WordPress administrator accounts created in the last 30 days.
If anything suspicious is found, rotate admin passwords, cycle API keys, and invalidate user sessions.
4) Check Backups
Ensure you have a clean, patched backup.
Remove or secure any pre-patch backups that might be restored accidentally.
Best Security Practices Going Forward
Here are some best practices for keeping your WordPress LMS website secure on an ongoing basis:
- Keep all plugins, themes, and WordPress core up to date.
- Restrict database credentials to the least privilege necessary.
- Enable a Web Application Firewall (WAF) where possible.
Run regular penetration tests or vulnerability scans.
We’re Here to Help
We understand the seriousness of software security updates and are here to support you through this process.
- Support Resources: Visit our support page at https://lifterlms.com/docs/ for detailed guides and assistance.
- Contact Us: If you have any questions or need personalized support, please contact our support team.
Our Commitment to You
Your security is our top priority. We apologize for any inconvenience this may cause and appreciate your prompt attention to this matter. Thank you for your understanding and for being a valued member of the LifterLMS community.
Please take these steps as soon as possible to ensure the continued security of your site and user data. Contact the LifterLMS support team with any questions.
LifterLMS is constantly releasing new features, updates, and security upgrades. It’s important to keep your software up to date.
