{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11368", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-06T13:47:47.518Z", "datePublished": "2025-11-21T05:32:04.912Z", "dateUpdated": "2026-04-08T16:35:07.676Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:07.676Z"}, "affected": [{"vendor": "thimpress", "product": "LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.2.9.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs."}], "title": "LearnPress \u2013 WordPress LMS Plugin <= 4.2.9.4 - Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c9856db-3779-4649-9a48-1c7b6d019816?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L41"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L23"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/learnpress/tags/4.2.9.4&new_path=/learnpress/tags/4.3.0&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucas Montes"}], "timeline": [{"time": "2025-10-07T03:33:05.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-20T16:53:10.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-21T14:44:17.379360Z", "id": "CVE-2025-11368", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T14:58:48.232Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11368", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-21T14:44:17.379360Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T14:44:19.058Z"}}], "cna": {"title": "LearnPress \u2013 WordPress LMS Plugin <= 4.2.9.4 - Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Lucas Montes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "thimpress", "product": "LearnPress \u2013 WordPress LMS Plugin", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.2.9.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-07T03:33:05.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-20T16:53:10.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c9856db-3779-4649-9a48-1c7b6d019816?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L41"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L23"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/learnpress/tags/4.2.9.4&new_path=/learnpress/tags/4.3.0&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-21T05:32:04.912Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11368", "state": "PUBLISHED", "dateUpdated": "2025-11-21T14:58:48.232Z", "dateReserved": "2025-10-06T13:47:47.518Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-21T05:32:04.912Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs."}], "id": "CVE-2025-11368", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-21T06:15:47.343", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L23"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L41"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=/learnpress/tags/4.2.9.4&new_path=/learnpress/tags/4.3.0&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c9856db-3779-4649-9a48-1c7b6d019816?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T21:08:28.013751+00:00", "value": {"mitigation_remediation": ["Upgrade the LearnPress plugin to version 4.3.0 or later, where the missing authorization checks have been added to the /wp-json/lp/v1/load_content_via_ajax endpoint.", "Until the plugin can be updated, disable or block the /wp-json/lp/v1/load_content_via_ajax REST endpoint by using a firewall rule, plugin configuration, or custom code that restricts access to authenticated users only.", "Maintain regular plugin updates and review REST API permissions on your WordPress site to ensure that only authorized users can call protected endpoints."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the LearnPress \u2013 WordPress LMS Plugin developed by ThimPress. All releases through version 4.2.9.4 are impacted. Users running any of these versions on a WordPress site should consider the plugin as vulnerable.", "description_and_impact": "The LearnPress plugin for WordPress, in all versions up to 4.2.9.4, is vulnerable to sensitive information disclosure because the REST endpoint /wp-json/lp/v1/load_content_via_ajax lacks capability checks. This allows an unauthenticated attacker to invoke admin\u2011only template methods via arbitrary callbacks and retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other proprietary educational content. The flaw is a classic access\u2011control weakness that compromises data confidentiality.", "risk_and_exploitability": "The CVSS score is 5.3, indicating moderate severity. With an EPSS score of less than 1%, the current anticipated exploit probability is very low, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need only network access to the site\u2019s REST API and the ability to supply valid numeric identifiers to trigger the callback functions. Because no authentication is required and no special code execution is needed beyond data retrieval, exploitation is straightforward but constrained. The low exploitation probability means that the threat remains primarily a confidentiality risk rather than an immediate high\u2011impact incident."}}}}, "created": "2025-11-24T09:09:59.589265+00:00", "updated": "2026-04-22T21:15:27.681375+00:00", "vendors": ["thimpress", "thimpress$PRODUCT$learnpress", "wordpress", "wordpress$PRODUCT$wordpress"]}