LoginSign Up
← Back to all sparks
L

LifterLMS

EDTECH
Velocity5.0

WordPress LMS plugin for creating and selling online courses with memberships, quizzes, and certificates.

lifterlms.com

After the 10.0 feature push, LifterLMS settles into a steady security-hardening cadence.

wordpress-lmssecurity-hardeningcourse-builderperformancedeprecationsai-agent-tooling
Current state
LifterLMS, the WordPress LMS plugin, has shipped a string of 10.0.x point releases that are almost entirely security fixes, many credited to external researchers, plus occasional performance and developer-tooling work. The substance lives in 10.0.0: in-builder lesson editing, a focus mode for lessons and quizzes, an Events tab, and an 'Any' engagement trigger. Everything since has been stabilization rather than new capability.
Where it's heading
The line is consolidation after a feature-heavy major. Nearly every release since 10.0.0 hardens the course builder, checkout, REST API, and form-submission paths against injection and permission gaps, with one real performance win in 10.0.7 (anonymous visitors stay eligible for full-page caching). The team also added AGENTS.md and CLAUDE.md to make the repo legible to AI coding agents.
Prediction
Expect the security-patch cadence to continue draining the queue of researcher-reported issues before the next feature batch, which would likely arrive as a 10.1 rather than another 10.0.x. No directional shift is visible in these entries.

Recent moves

  1. 2d ago

    Security hardening for checkout, imports, and forms (10.0.8)

    Security fixes adding checks during checkout order creation, user creation in course/membership imports, and account/registration form submissions. Continues the post-10.0 hardening cadence with no user-visible feature change.

    View source ↗
  2. 4d ago

    Anonymous pageviews stay full-page cacheable (10.0.7)

    Anonymous visitors no longer get a LifterLMS session cookie until session data is actually written, keeping otherwise-anonymous pageviews eligible for full-page caching. A real performance win on top of the usual security fixes in this release.

    View source ↗
  3. 8d ago

    Quiz-question security check and added E2E tests (10.0.6)

    Adds E2E test coverage and a security check when updating a quiz question. Internal hardening that fits the ongoing stabilization of the 10.x line.

    View source ↗
  4. 19d ago

    Deprecate legacy quiz-question query method (10.0.5)

    Deprecates a method for querying quiz questions, with searching now handled by the Course Builder's llms_builder AJAX flow. A developer-facing cleanup with no end-user impact.

    View source ↗
  5. 23d ago

    AI-agent context files and REST permission checks (10.0.4)

    Adds AGENTS.md and CLAUDE.md to surface project context for AI coding agents, plus REST API permission checks and tighter Course Builder save validation. Repo-legibility and security work rather than product features.

    View source ↗
  6. 1mo ago

    Email-notification fix and course-builder security checks (10.0.3)

    Fixes an email-notification edge case when the background processor fails and adds verification on course-builder and access-plan reads and writes. Bug-fix-and-security maintenance consistent with the hardening cycle.

    View source ↗