CVE-2025-11368
published 2025-11-21CVE-2025-11368: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4…
PriorityP279medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.91%
55.6th percentile
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thimpress | learnpress_wordpress_lms_plugin_for_create_and_sell_online_courses | <= 4.2.9.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
rule CVE_2025_11368_LearnPress_InfoDisc { meta: description = "Detects exploitation of CVE-2025-11368 LearnPress REST endpoint abuse" strings: $uri = "/wp-json/lp/v1/load_content_via_ajax" condition: $uri }- →Monitor unauthenticated HTTP GET/POST requests to the REST endpoint /wp-json/lp/v1/load_content_via_ajax, especially those supplying numeric ID parameters, as exploitation requires no authentication. ↗
- →Alert on responses from /wp-json/lp/v1/load_content_via_ajax that contain admin curriculum HTML or quiz answer data, indicating successful sensitive information disclosure. ↗
- →Regex pattern '[^]*>([^<]+)<' found in associated detection rule may be used to extract content from LearnPress REST API responses; monitor for tooling using this pattern against the vulnerable endpoint.
- ·Exploitation requires the attacker to supply valid numeric IDs for course/quiz content; brute-forcing sequential integer IDs is a likely attack vector and should be considered in detection tuning. ↗
- ·All versions up to and including 4.2.9.4 of the LearnPress WordPress LMS Plugin are affected; detections should target sites running these versions. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-458g-4r9f-c8x2: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4
ghsa_unreviewed·2025-11-21
CVE-2025-11368 [MEDIUM] CWE-200 GHSA-458g-4r9f-c8x2: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs.
VulnCheck
thimpress learnpress Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2025·CVSS 5.3
CVE-2025-11368 [MEDIUM] thimpress learnpress Exposure of Sensitive Information to an Unauthorized Actor
thimpress learnpress Exposure of Sensitive Information to an Unauthorized Actor
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs.
Affected: thimpress learnpress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the prod
No detection rules found.
Nuclei
LearnPress < 4.3.0 - Arbitrary Callback Execution to Information Exposure
nuclei·CVSS 5.3
CVE-2025-11368 [MEDIUM] LearnPress < 4.3.0 - Arbitrary Callback Execution to Information Exposure
LearnPress ([^]*>([^<]+)<'
group: 1
# digest: 4a0a0047304502207eedb38bd5b2c2bf85861192559bd87c612d3dc248372c0b86faf138fe8faa6c022100f9be7dac4d52b1db2520ebfab5b6fb9721d54b5921cf029f72b4dedd99cbdb41:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L23https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L41https://plugins.trac.wordpress.org/changeset?old_path=/learnpress/tags/4.2.9.4&new_path=/learnpress/tags/4.3.0&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/0c9856db-3779-4649-9a48-1c7b6d019816?source=cve
2025-11-21
Published
Exploited in the wild