A popular plugin for WordPress called LifterLMS, which is used for creating online courses and quizzes, has a security vulnerability. This means that attackers who have access to the plugin can gain higher levels of access than they should have. This is because the plugin doesn’t properly check a user’s identity before allowing them to change their own role using a feature called REST API. This vulnerability can allow attackers to upgrade their access level to that of an administrator, even if they only had lower level access before. There is also another way for attackers to exploit this vulnerability through a feature intended for instructors. The affected versions of the plugin are 3.5.3-3.41.2, 4.0.0-4.21.3, 5.0.0-5.10.0, 6.0.0-6.11.0, 7.0.0-7.8.7, 8.0.0-8.0.7, 9.0.0-9.0.7, and 9.1.0.