Do not open a public GitHub issue for security vulnerabilities.
LifterLMS uses a coordinated disclosure process. To report a vulnerability in the LifterLMS MCP Server, in the LifterLMS REST API, or in any LifterLMS plugin or add-on, follow the process documented at:
https://lifterlms.com/security/
We respond to reports within five business days and coordinate fixes, advisories, and credit for responsible disclosure.
- Authentication or authorization bypasses
- Credential leakage via logs, error messages, or unintended response surfaces
- Injection vulnerabilities in tool parameters or constructed requests
- Sensitive data exposure through MCP resources or tool responses
- Issues in third-party dependencies that are already publicly disclosed and have an upstream fix in flight (file an issue or PR to bump the dependency instead)
- Vulnerabilities that require a malicious user already in possession of admin-level WordPress credentials (the MCP intentionally operates with the privileges of the configured Application Password)
- Reports generated by automated scanners without a working proof of concept