The vulnerability CVE-2025-11372 affects the LearnPress plugin for WordPress, a widely used Learning Management System (LMS) plugin. The root cause is a missing authorization check (CWE-862) on the Admin Tools REST API endpoints, specifically those registered with a permission_callback that always returns true (__return_true). This flaw allows any unauthenticated attacker to invoke administrative REST endpoints without proper capability verification. Through the /wp-json/lp/v1/admin/tools/create-indexs endpoint, attackers can specify arbitrary database table names and perform destructive operations such as dropping indexes. This can affect WordPress core tables like wp_options, potentially causing data integrity issues and degraded site performance. Additionally, attackers can create duplicate configuration entries, further destabilizing the plugin’s operation. The vulnerability affects all versions up to and including 4.2.9.2. Exploitation requires no privileges or user interaction, making it highly accessible to remote attackers. Although no known exploits have been reported in the wild, the vulnerability’s nature poses a significant risk to the availability and integrity of affected WordPress sites. The CVSS 3.1 base score is 6.5 (medium), reflecting network attack vector, no privileges required, no user interaction, and impacts on integrity and availability but not confidentiality. The lack of patch links suggests a fix is pending or not yet publicly available. Organizations using LearnPress should monitor for updates and consider interim protective measures.

For European organizations, this vulnerability poses a risk of service disruption and data integrity compromise in WordPress sites running the LearnPress LMS plugin. Educational institutions, e-learning providers, and businesses relying on LearnPress for training and course management could experience degraded performance or partial loss of functionality if indexes on critical database tables are dropped. This can lead to slower queries, increased server load, and potential downtime. The ability to create duplicate configuration entries may cause unpredictable plugin behavior, complicating recovery efforts. Since the vulnerability allows unauthenticated remote exploitation, attackers can target sites en masse, increasing the risk of widespread disruption. Confidential data leakage is not directly impacted, but the integrity and availability of learning content and user progress data are at risk. This could undermine trust in e-learning platforms and cause operational setbacks. The impact is particularly relevant for organizations with public-facing WordPress LMS sites without additional access restrictions on REST API endpoints.

1. Immediately monitor official channels from the plugin vendor (ThimPress) for security patches and apply updates as soon as they become available. 2. Until a patch is released, restrict access to the vulnerable REST API endpoints by implementing web application firewall (WAF) rules that block or limit access to /wp-json/lp/v1/admin/tools/* endpoints from unauthenticated or untrusted IP addresses. 3. Use WordPress security plugins or custom code to enforce capability checks on these REST endpoints, overriding the default permission_callback to require administrator privileges. 4. Regularly audit WordPress plugin usage and remove or disable unused plugins to reduce attack surface. 5. Backup WordPress databases frequently and verify backups to enable rapid recovery if destructive operations occur. 6. Monitor logs for suspicious REST API calls targeting LearnPress endpoints to detect exploitation attempts early. 7. Educate site administrators about the risks of exposing administrative REST endpoints without proper authorization controls. 8. Consider isolating critical WordPress LMS sites behind VPN or IP whitelisting to limit exposure to external attackers.