LoginSign Up
← Back to all sparks
L

LifterLMS

EDTECH
Velocity6.3

WordPress LMS plugin for creating and selling online courses with memberships, quizzes, and certificates.

lifterlms.com

LifterLMS ships v10.0 with in-builder lesson editing and focus mode, then locks down the new surface.

wordpress-lmscourse-buildersecurity-hardeningfocus-modeengagementsgutenberg
Current state
LifterLMS landed its v10.0 major release in early May, bringing lesson content editing directly into the Course Builder, a focus mode for learners, an Events tab, and a unified 'Any' trigger for engagements. The two weeks since have been spent on three security hotfixes (v10.0.1, v10.0.2, v10.0.3) tightening permission checks on the new course-builder data paths. The 9.x line that preceded it also leaned heavily on security work, with multiple releases acknowledging external reporters.
Where it's heading
The product is consolidating around a modern Gutenberg-era course builder as the central authoring surface and aligning with WordPress core conventions (replacing custom llms_verify_nonce calls with standard WP nonce checks, dropping deprecated SQL_CALC_FOUND_ROWS). The recurring cadence of permission-check patches — both pre- and post-v10 — suggests LifterLMS is attracting sustained external security scrutiny as it grows.
Prediction
Expect a v10.1.x line that finishes locking down the new course-builder permission surface and continues retiring custom helpers in favor of WP-core equivalents. The Events tab introduced in v10.0 is the next feature surface to watch — it shipped with minimal content and is likely to expand.

Recent moves

  1. 1d ago

    Version 10.0.3

    Third security hotfix in the v10.0 series, this one adding verification layers around course builder and access plan reads and writes. Also catches a background-processor edge case where stale email notifications could fire on incomplete runs. Continues the post-v10.0 lockdown of the new authoring surface.

    View source ↗
  2. 6d ago

    Version 10.0.2

    Adds an access check verifying that a quiz is reachable via the parent course before letting students interact — a gap the new v10.0 builder data paths exposed. Plus a developer-facing scss cleanup.

    View source ↗
  3. 8d ago

    Version 10.0.1

    Course-builder ownership check: items updated through the builder are now verified to belong to the same course. First in the post-v10.0 security sweep — the new in-builder editing flow widened the attack surface and needed immediate hardening.

    View source ↗
  4. 17d ago

    Version 10.0.0

    ⚡ SPARK

    The architectural pivot for LifterLMS: v10.0 bundles in-builder lesson editing, a learner focus mode, an Events tab, and a unified 'Any' trigger for engagements together with a wholesale move off custom nonce verification onto WordPress standards. The team is treating the major version as the moment to align with modern WordPress idioms rather than keep maintaining parallel custom code.

    View source ↗
  5. 1mo ago

    Version 9.2.3

    Pre-v10 security release adding admin-action permission checks, credited to an external reporter. Part of the steady drumbeat of permission-hardening that has characterized the 9.x line.

    View source ↗
  6. 1mo ago

    Version 9.2.2

    Maintenance release pairing template-output escaping changes with validation of the order param on the quiz Students Without Attempts table. Also retires deprecated mb_convert_encoding usage — small modernization beats that fit the trajectory of cleaning up legacy plugin code.

    View source ↗