CVE-2023-6223 is a medium-severity vulnerability affecting the LearnPress plugin for WordPress, a popular Learning Management System (LMS) plugin developed by thimpress. The vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key. It arises from an Insecure Direct Object Reference (IDOR) issue in the /wp-json/lp/v1/profile/course-tab REST API endpoint. Specifically, the plugin fails to properly validate the 'userID' parameter, which is user-controlled. This flaw allows authenticated users with subscriber-level privileges or higher to access the course progress details of other users without authorization. The vulnerability affects all versions up to and including 4.2.5.7. The CVSS v3.1 base score is 4.3, indicating a medium severity level. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and privileges at the level of a logged-in user (PR:L). No user interaction is needed (UI:N), and the impact is limited to confidentiality (C:L) with no impact on integrity or availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability could be exploited by an authenticated attacker to retrieve sensitive information about other users’ course progress, potentially leading to privacy violations and unauthorized data disclosure within educational or corporate LMS environments using LearnPress.

For European organizations using the LearnPress WordPress LMS plugin, this vulnerability poses a privacy risk by allowing unauthorized access to personal learning data of users. Educational institutions, corporate training departments, and e-learning providers could see exposure of student or employee progress data, which may include sensitive information about course completions, grades, or participation. This could undermine trust in the LMS platform, violate data protection regulations such as the GDPR, and potentially lead to reputational damage or regulatory penalties. While the vulnerability does not allow modification or deletion of data, the unauthorized disclosure of user progress information could be leveraged for social engineering or targeted phishing attacks. Organizations relying on LearnPress for critical training or compliance programs may also face operational risks if users lose confidence in the platform’s security and privacy controls.

European organizations should immediately review their LearnPress plugin versions and upgrade to a patched version once available from the vendor. In the absence of an official patch, administrators can implement temporary mitigations such as restricting access to the /wp-json/lp/v1/profile/course-tab REST API endpoint to trusted roles only, or disabling the REST API for LearnPress if feasible. Additionally, monitoring and logging access to this API endpoint can help detect suspicious activity. Organizations should enforce the principle of least privilege by ensuring users have only the necessary roles and permissions. Regularly auditing user roles and access rights within WordPress can reduce the risk of exploitation. Finally, educating users about phishing and social engineering risks related to leaked information can help mitigate downstream impacts.