CVE-2025-11372 is a missing authorization vulnerability (CWE-862) in the LearnPress WordPress LMS plugin, affecting all versions up to 4.2.9.2. The root cause is the absence of proper capability checks on certain admin REST API endpoints, specifically the /wp-json/lp/v1/admin/tools/create-indexs endpoint. This endpoint is registered with a permission_callback set to __return_true, effectively allowing any unauthenticated user to invoke it. Exploitation enables attackers to execute destructive database operations such as dropping indexes on arbitrary tables, including critical WordPress core tables like wp_options, which can disrupt site functionality. Additionally, attackers can create duplicate configuration entries, potentially causing configuration conflicts or malfunctions, and degrade site performance by manipulating database indexes. The vulnerability does not impact confidentiality directly but severely affects integrity and availability. No authentication or user interaction is required, making exploitation straightforward if the endpoint is accessible. While no public exploits are known at this time, the vulnerability's nature and ease of exploitation make it a significant threat to sites using LearnPress. The CVSS 3.1 score of 6.5 reflects these factors, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and low availability impact (A:L).

For European organizations, this vulnerability poses a risk of severe disruption to WordPress-based LMS platforms using the LearnPress plugin. The ability for unauthenticated attackers to perform destructive database operations can lead to data integrity loss, site outages, and degraded performance, impacting e-learning services, user access, and organizational operations dependent on these platforms. Educational institutions, training providers, and enterprises relying on LearnPress for course delivery could face operational downtime and reputational damage. Although confidentiality is not directly compromised, the loss of data integrity and availability can indirectly affect compliance with data protection regulations such as GDPR if service disruptions impact personal data processing. The ease of exploitation and lack of authentication requirements increase the likelihood of attacks, especially in environments where the REST API is publicly accessible. Organizations may also face increased incident response costs and potential regulatory scrutiny if service disruptions affect users or data processing.

Immediate mitigation steps include restricting access to the vulnerable REST API endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests to /wp-json/lp/v1/admin/tools/* paths. Organizations should disable or restrict the REST API for unauthenticated users where possible. Applying the latest plugin updates from the vendor once available is critical; if no patch is currently released, consider temporarily deactivating the LearnPress plugin or isolating the affected WordPress instance from public access. Monitoring web server logs for suspicious requests targeting the vulnerable endpoints can help detect exploitation attempts early. Additionally, backing up WordPress databases regularly and verifying backup integrity ensures recovery capability in case of destructive attacks. Organizations should also review and harden WordPress user roles and permissions to minimize exposure. Finally, consider implementing network-level access controls to limit REST API access to trusted IP addresses or VPN users.