CVE-2025-11368

5.3 MEDIUM

Authentication Bypass

📋 TL;DR

This vulnerability in the LearnPress WordPress LMS plugin allows unauthenticated attackers to access sensitive educational content through a REST API endpoint. Attackers can retrieve admin curriculum HTML, quiz questions with correct answers, and course materials by supplying valid numeric IDs. All WordPress sites using LearnPress versions up to 4.2.9.4 are affected.

💻 Affected Systems

Products:

• LearnPress - WordPress LMS Plugin

Versions: All versions up to and including 4.2.9.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with LearnPress plugin enabled, regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exposure of all educational content including quiz answers, course materials, and curriculum data, potentially enabling academic fraud and intellectual property theft.

🟠

Likely Case

Unauthorized access to course materials, quiz questions, and answers, compromising the integrity of educational assessments and exposing proprietary content.

🟢

If Mitigated

Limited exposure if proper access controls and network segmentation are implemented, but sensitive data remains at risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to the vulnerable endpoint with valid numeric IDs, which can be enumerated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.3.0

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?old_path=/learnpress/tags/4.2.9.4&new_path=/learnpress/tags/4.3.0

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find LearnPress plugin
4. Click 'Update Now' if available
5. Alternatively, download version 4.3.0 from WordPress repository and manually update

🔧 Temporary Workarounds

Block REST API Endpoint

all

Temporarily block access to the vulnerable REST endpoint using web server configuration or security plugins.

Copy

# Apache .htaccess
RewriteEngine On
RewriteRule ^wp-json/lp/v1/load_content_via_ajax - [F,L]
# Nginx
location ~* ^/wp-json/lp/v1/load_content_via_ajax { deny all; }

Disable LearnPress Plugin

all

Temporarily disable the LearnPress plugin until patched.

Copy

wp plugin deactivate learnpress

🧯 If You Can't Patch

• Implement web application firewall (WAF) rules to block requests to /wp-json/lp/v1/load_content_via_ajax
• Restrict access to WordPress REST API endpoints using authentication or IP whitelisting

🔍 How to Verify

Check if Vulnerable:

Copy

Check WordPress admin panel → Plugins → LearnPress version. If version is 4.2.9.4 or lower, system is vulnerable.

Check Version:

Copy

wp plugin list --name=learnpress --field=version

Verify Fix Applied:

Copy

Verify LearnPress plugin version is 4.3.0 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

• Multiple 200 OK responses to /wp-json/lp/v1/load_content_via_ajax from unauthenticated users
• Unusual access patterns to REST API endpoints

Network Indicators:

• HTTP GET requests to /wp-json/lp/v1/load_content_via_ajax with numeric parameters
• Burst of requests to WordPress REST API from single IPs

SIEM Query:

Copy

source="web_logs" AND uri_path="/wp-json/lp/v1/load_content_via_ajax" AND response_code=200 AND NOT user_agent="WordPress/*"

📊 Metadata

CVE ID: CVE-2025-11368

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 1.99% exploit probability (83.3th percentile)

Published: November 21, 2025

Last Updated: November 21, 2025

🔗 References

• https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L23
• https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L41
• https://plugins.trac.wordpress.org/changeset?old_path=/learnpress/tags/4.2.9.4&new_path=/learnpress/tags/4.3.0&sfp_email=&sfph_mail=
• https://www.wordfence.com/threat-intel/vulnerabilities/id/0c9856db-3779-4649-9a48-1c7b6d019816?source=cve

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11368, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)

CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)

CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)