CVE-2025-13956
📋 TL;DR
This vulnerability allows unauthenticated attackers to access sensitive order statistics in the LearnPress WordPress plugin, including revenue summaries and order status counts. All WordPress sites using LearnPress versions up to 4.3.1 are affected. The issue stems from a missing capability check in the REST API endpoint.
💻 Affected Systems
- LearnPress - WordPress LMS Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could gather business intelligence, identify high-value customers, or use the information for social engineering attacks against customers.
Likely Case
Unauthorized viewing of revenue statistics and order data, potentially exposing business metrics and customer activity patterns.
If Mitigated
Limited to viewing aggregated statistics without access to individual customer details or payment information.
🎯 Exploit Status
Exploitation requires sending HTTP requests to the vulnerable REST endpoint. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.2 or later
Vendor Advisory: https://wordpress.org/plugins/learnpress/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find LearnPress and click 'Update Now'. 4. Verify update to version 4.3.2 or higher.
🔧 Temporary Workarounds
Disable vulnerable REST endpoint
allRemove or restrict access to the vulnerable orders statistics endpoint
Add to theme's functions.php or custom plugin: remove_action('rest_api_init', 'lp_rest_api_orders_controller');
Web Application Firewall rule
allBlock requests to the vulnerable endpoint
WAF rule to block: /wp-json/learnpress/v1/orders/statistic
🧯 If You Can't Patch
- Disable the LearnPress plugin entirely until patched
- Implement IP-based restrictions to limit access to the WordPress admin and REST API endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > LearnPress version. If version is 4.3.1 or lower, system is vulnerable.Check Version:
wp plugin list --name=learnpress --field=versionVerify Fix Applied:
After update, verify LearnPress version is 4.3.2 or higher. Test by attempting to access /wp-json/learnpress/v1/orders/statistic without authentication - should return 403 error.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /wp-json/learnpress/v1/orders/statistic from unauthenticated IPs
- Unusual GET requests to orders statistic endpoint
Network Indicators:
- Unusual traffic patterns to WordPress REST API endpoints
- Multiple requests to /wp-json/learnpress/v1/orders/statistic
SIEM Query:
source="web_server" AND uri_path="/wp-json/learnpress/v1/orders/statistic" AND http_status=200 AND NOT user_agent="*bot*"