CVE-2025-11368: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in thimpress LearnPress – WordPress LMS Plugin
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs.
AI Analysis
Technical Summary
CVE-2025-11368 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the LearnPress WordPress LMS plugin, versions up to and including 4.2.9.4. The root cause is the absence of proper capability checks on the REST API endpoint /wp-json/lp/v1/load_content_via_ajax. This endpoint allows arbitrary callback execution of admin-only template methods without requiring authentication or authorization. Consequently, an unauthenticated attacker can supply valid numeric IDs to retrieve sensitive data such as admin curriculum HTML, quiz questions including correct answers, course materials, and other educational content that should be restricted to authorized users only. The vulnerability affects confidentiality but does not impact integrity or availability of the system. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the ease of remote exploitation without authentication, but limited to information disclosure. No patches or official fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability is significant for organizations relying on LearnPress for managing online courses, as leakage of quiz answers and course materials can undermine educational integrity and intellectual property protection.
Potential Impact
For European organizations, especially educational institutions, e-learning platforms, and training providers using the LearnPress plugin, this vulnerability poses a risk of unauthorized disclosure of sensitive educational content. Exposure of quiz questions and correct answers can compromise the fairness and credibility of assessments. Leakage of curriculum and course materials may lead to intellectual property loss and reputational damage. Since the vulnerability requires no authentication and can be exploited remotely, attackers can harvest sensitive data at scale. This could also facilitate further social engineering or targeted attacks against educators or students. While the vulnerability does not directly affect system availability or integrity, the confidentiality breach can have significant operational and compliance implications, particularly under GDPR where unauthorized data exposure is a serious concern.
Mitigation Recommendations
1. Immediately restrict access to the /wp-json/lp/v1/load_content_via_ajax REST endpoint by implementing IP whitelisting or authentication requirements at the web server or application firewall level. 2. Apply custom code or plugins to enforce capability checks ensuring only authorized users (e.g., admins) can access sensitive REST API endpoints. 3. Monitor REST API access logs for unusual or repeated requests to the vulnerable endpoint, especially from unauthenticated sources. 4. If possible, disable the LearnPress REST API endpoints temporarily until a vendor patch is released. 5. Engage with the plugin vendor (thimpress) to obtain or request an official patch and apply it promptly once available. 6. Educate administrators and developers about the risks of exposing sensitive data via REST APIs and review other plugins for similar misconfigurations. 7. Conduct regular security audits and penetration tests focusing on API endpoints to detect unauthorized data exposure.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2025-11368: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in thimpress LearnPress – WordPress LMS Plugin
Description
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs.
AI-Powered Analysis
Technical Analysis
CVE-2025-11368 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the LearnPress WordPress LMS plugin, versions up to and including 4.2.9.4. The root cause is the absence of proper capability checks on the REST API endpoint /wp-json/lp/v1/load_content_via_ajax. This endpoint allows arbitrary callback execution of admin-only template methods without requiring authentication or authorization. Consequently, an unauthenticated attacker can supply valid numeric IDs to retrieve sensitive data such as admin curriculum HTML, quiz questions including correct answers, course materials, and other educational content that should be restricted to authorized users only. The vulnerability affects confidentiality but does not impact integrity or availability of the system. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the ease of remote exploitation without authentication, but limited to information disclosure. No patches or official fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability is significant for organizations relying on LearnPress for managing online courses, as leakage of quiz answers and course materials can undermine educational integrity and intellectual property protection.
Potential Impact
For European organizations, especially educational institutions, e-learning platforms, and training providers using the LearnPress plugin, this vulnerability poses a risk of unauthorized disclosure of sensitive educational content. Exposure of quiz questions and correct answers can compromise the fairness and credibility of assessments. Leakage of curriculum and course materials may lead to intellectual property loss and reputational damage. Since the vulnerability requires no authentication and can be exploited remotely, attackers can harvest sensitive data at scale. This could also facilitate further social engineering or targeted attacks against educators or students. While the vulnerability does not directly affect system availability or integrity, the confidentiality breach can have significant operational and compliance implications, particularly under GDPR where unauthorized data exposure is a serious concern.
Mitigation Recommendations
1. Immediately restrict access to the /wp-json/lp/v1/load_content_via_ajax REST endpoint by implementing IP whitelisting or authentication requirements at the web server or application firewall level. 2. Apply custom code or plugins to enforce capability checks ensuring only authorized users (e.g., admins) can access sensitive REST API endpoints. 3. Monitor REST API access logs for unusual or repeated requests to the vulnerable endpoint, especially from unauthenticated sources. 4. If possible, disable the LearnPress REST API endpoints temporarily until a vendor patch is released. 5. Engage with the plugin vendor (thimpress) to obtain or request an official patch and apply it promptly once available. 6. Educate administrators and developers about the risks of exposing sensitive data via REST APIs and review other plugins for similar misconfigurations. 7. Conduct regular security audits and penetration tests focusing on API endpoints to detect unauthorized data exposure.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-06T13:47:47.518Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 691ffc17a535ade79490ffb1
Added to database: 11/21/2025, 5:43:51 AM
Last enriched: 11/28/2025, 6:51:01 AM
Last updated: 1/7/2026, 4:18:39 AM
Views: 69
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-20893: Origin validation error in Fujitsu Client Computing Limited Fujitsu Security Solution AuthConductor Client Basic V2
HighCVE-2025-14891: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ivole Customer Reviews for WooCommerce
MediumCVE-2025-14059: CWE-73 External Control of File Name or Path in roxnor EmailKit – Email Customizer for WooCommerce & WP
MediumCVE-2025-12648: CWE-552 Files or Directories Accessible to External Parties in cbutlerjr WP-Members Membership Plugin
MediumCVE-2025-14631: CWE-476 NULL Pointer Dereference in TP-Link Systems Inc. Archer BE400
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.