CVE-2025-11368 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the LearnPress WordPress LMS plugin, versions up to and including 4.2.9.4. The issue arises from missing capability checks in the REST API endpoint /wp-json/lp/v1/load_content_via_ajax. This endpoint allows unauthenticated users to invoke admin-only template methods by supplying arbitrary numeric IDs, leading to unauthorized disclosure of sensitive educational content. Specifically, attackers can retrieve admin curriculum HTML, quiz questions along with correct answers, course materials, and other protected data. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS v3.1 score is 5.3 (medium), reflecting the ease of exploitation and the confidentiality impact, while integrity and availability remain unaffected. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability poses a significant risk to educational institutions and organizations relying on LearnPress for managing course content and assessments, as sensitive information leakage could undermine academic integrity and privacy.

The primary impact of CVE-2025-11368 is the unauthorized disclosure of sensitive educational content, including course materials, curriculum details, and quiz answers. This exposure can lead to academic dishonesty, loss of trust in the educational platform, and potential privacy violations for students and instructors. Organizations using LearnPress may face reputational damage and compliance issues, especially if personal or proprietary educational content is leaked. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone can have serious consequences for online learning environments. Attackers could exploit this flaw to gain unfair advantages in assessments or to harvest intellectual property. The ease of exploitation without authentication increases the threat level, particularly for publicly accessible WordPress LMS sites. The absence of known exploits currently provides a window for mitigation, but the risk remains significant given the widespread use of WordPress and LearnPress in education worldwide.

To mitigate CVE-2025-11368, organizations should immediately update the LearnPress plugin to a patched version once available from the vendor. In the absence of an official patch, administrators should restrict access to the vulnerable REST API endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests to /wp-json/lp/v1/load_content_via_ajax. Additionally, disabling REST API access for unauthenticated users or limiting it via authentication plugins can reduce exposure. Review and harden WordPress user roles and permissions to ensure that sensitive content is not accessible beyond intended users. Monitoring web server logs for suspicious requests targeting the vulnerable endpoint can help detect exploitation attempts. Educating site administrators about the risk and encouraging regular plugin updates are critical. Finally, consider isolating LMS content behind VPNs or intranet access controls where feasible to further reduce exposure.