CVE-2025-11372 is a missing authorization vulnerability (CWE-862) in the LearnPress WordPress LMS plugin developed by thimpress, impacting all versions up to and including 4.2.9.2. The root cause is the absence of proper capability checks on the Admin Tools REST API endpoints, specifically those registered with a permission_callback set to __return_true, effectively disabling any permission enforcement. This flaw allows unauthenticated remote attackers to invoke administrative REST endpoints without restriction. Through the /wp-json/lp/v1/admin/tools/create-indexs endpoint, attackers can supply arbitrary table names to execute destructive database operations such as dropping indexes on any table, including critical WordPress core tables like wp_options. This can lead to degraded site performance, data integrity issues, and potential denial of service. The vulnerability does not affect confidentiality directly but severely impacts integrity and availability. The CVSS 3.1 base score is 6.5 (medium), reflecting network exploitability without authentication or user interaction but limited to integrity and availability impacts. No patches or official fixes are currently linked, and no known exploits have been reported in the wild, but the ease of exploitation and potential damage make this a significant threat for sites using LearnPress.

The vulnerability allows unauthenticated attackers to perform destructive operations on the WordPress database, including dropping indexes on any table. This can degrade site performance, cause data corruption, and potentially disrupt the availability of the affected WordPress site. Since critical core tables like wp_options can be targeted, attackers may indirectly affect site configuration and stability, leading to partial or full denial of service. The integrity of the database is compromised, which can affect the reliability of the LMS platform and the broader WordPress environment. Organizations relying on LearnPress for e-learning or course management may face operational disruptions, loss of user trust, and increased recovery costs. The lack of authentication requirement and remote exploitability increase the risk of automated attacks and widespread exploitation if weaponized. Although no exploits are known in the wild yet, the vulnerability's characteristics make it a prime candidate for future exploitation campaigns.

Immediate mitigation involves restricting access to the vulnerable REST API endpoints by implementing custom permission checks or firewall rules to block unauthenticated requests to /wp-json/lp/v1/admin/tools/* endpoints. Site administrators should monitor and restrict access to the REST API using plugins or web application firewalls (WAFs) that can enforce authentication or IP whitelisting. Until an official patch is released, consider disabling or limiting the LearnPress plugin’s admin tools REST endpoints via code modifications or plugin hooks. Regular backups of the WordPress database are critical to enable recovery from destructive operations. Administrators should also monitor logs for suspicious REST API calls targeting the vulnerable endpoints. Once a patch is available, immediate updating of the LearnPress plugin to a fixed version is essential. Additionally, applying the principle of least privilege to WordPress user roles and limiting plugin installations to trusted sources can reduce attack surface.