Overview
CVE-2025-11368 is a medium-severity vulnerability affecting the LearnPress – WordPress LMS Plugin for WordPress, specifically versions up to and including 4.2.9.4. This vulnerability allows unauthenticated attackers to retrieve sensitive educational content, including curriculum HTML, quiz questions with correct answers, and course materials. This is possible due to missing capability checks within a specific REST API endpoint. Sites using vulnerable versions of LearnPress are strongly urged to update to the latest version as soon as possible.
Technical Details
The vulnerability lies in the REST endpoint /wp-json/lp/v1/load_content_via_ajax. Due to the absence of proper capability checks, an unauthenticated attacker can trigger arbitrary callback execution of admin-only template methods by providing valid numeric IDs. This allows bypassing intended access restrictions and directly accessing sensitive data that should only be available to authorized administrators. Essentially, the endpoint allows retrieval of content using AJAX without validating if the user is authorized to view that content.
CVSS Analysis
- CVSS Score: 5.3 (Medium)
- The CVSS score reflects the vulnerability’s potential impact. While it doesn’t grant full system control, the ability to retrieve sensitive information can have significant consequences for course creators and students.
Possible Impact
Exploitation of this vulnerability could lead to:
- Data Breach: Exposure of sensitive quiz answers, course materials, and curriculum details.
- Intellectual Property Theft: Unauthorized access to proprietary course content, potentially leading to its distribution or replication.
- Compromised Course Integrity: Students gaining access to answers beforehand, undermining the integrity of assessments.
- Reputational Damage: Loss of trust among students and course creators due to a perceived lack of security.
Mitigation or Patch Steps
The primary mitigation is to update the LearnPress plugin to the latest available version (4.3.0 or later). The update addresses the missing capability checks in the vulnerable REST endpoint. To update:
- Log in to your WordPress admin dashboard.
- Navigate to Plugins -> Installed Plugins.
- Locate the LearnPress plugin.
- Click the “Update Now” button. If you do not see an update, ensure you have cleared your WordPress cache.
- Verify that the plugin version is 4.3.0 or higher after the update.
If updating is not immediately possible, consider temporarily disabling the LearnPress plugin until you can apply the update. While not ideal, this will prevent exploitation of the vulnerability.
References
- CVE ID: CVE-2025-11368
- LearnPress REST API Controller (Vulnerable Code): class-lp-rest-ajax-controller.php#L23
- LearnPress REST API Controller (Vulnerable Code): class-lp-rest-ajax-controller.php#L41
- LearnPress Code Changeset: LearnPress Changeset
- Wordfence Threat Intelligence: Wordfence Threat Intelligence Report
