The vulnerability identified as CVE-2025-11368 affects the LearnPress WordPress LMS plugin, versions up to and including 4.2.9.4. It is categorized under CWE-200, indicating exposure of sensitive information to unauthorized actors. The root cause is the absence of proper capability checks on the REST API endpoint /wp-json/lp/v1/load_content_via_ajax. This endpoint allows unauthenticated users to invoke admin-only template methods arbitrarily by supplying valid numeric IDs. Consequently, attackers can extract sensitive educational content such as admin curriculum HTML, quiz questions with correct answers, and course materials without any authentication or user interaction. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting medium severity, with the vector indicating network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to confidentiality loss. There is no known exploit in the wild at the time of publication. The vulnerability affects all versions up to 4.2.9.4, and no official patch links are provided yet. The exposure of quiz answers and course materials can undermine the integrity of educational assessments and intellectual property. The vulnerability is remotely exploitable via the REST API, which is typically accessible on WordPress sites, increasing the attack surface. Organizations using LearnPress should monitor API usage and restrict access to the vulnerable endpoint until a patch is available.

For European organizations, particularly educational institutions and e-learning providers utilizing the LearnPress plugin, this vulnerability poses a significant risk to the confidentiality of sensitive educational content. Unauthorized disclosure of quiz questions and correct answers can compromise the integrity of assessments and certifications, potentially damaging institutional reputation and trust. Exposure of curriculum materials may also lead to intellectual property theft or unauthorized redistribution. Although the vulnerability does not affect system availability or data integrity directly, the loss of confidentiality can have downstream effects on educational quality and compliance with data protection regulations such as GDPR. The ease of exploitation without authentication increases the likelihood of opportunistic attacks, especially on publicly accessible WordPress LMS sites. This could lead to reputational damage and potential legal liabilities if personal data or sensitive educational content is leaked. The impact is heightened in countries with widespread adoption of WordPress and LearnPress, where large numbers of users and students could be affected.

1. Immediately restrict access to the REST API endpoint /wp-json/lp/v1/load_content_via_ajax by implementing web application firewall (WAF) rules or server-level access controls to block unauthenticated requests. 2. Monitor web server and application logs for unusual or repeated access attempts to the vulnerable endpoint, especially those supplying numeric IDs. 3. Disable or limit the LearnPress REST API functionality if not required for normal operations. 4. Apply principle of least privilege by ensuring that only authenticated and authorized users can access sensitive LMS content. 5. Stay alert for official patches or updates from the plugin vendor and apply them promptly once released. 6. Consider deploying runtime application self-protection (RASP) or endpoint detection tools that can detect anomalous API calls. 7. Educate site administrators about the risks of exposing sensitive educational content and encourage regular plugin updates and security reviews. 8. For critical environments, consider isolating LMS platforms from public internet access or placing them behind VPNs or secure gateways until patched.