CVE-2025-13956 is a vulnerability identified in the LearnPress – WordPress LMS Plugin, a widely used learning management system plugin for WordPress websites. The issue stems from a missing authorization check (CWE-862) on the statistics function, which is responsible for providing order-related data such as total revenue summaries and order status counts. This flaw exists in all versions up to and including 4.3.1. Because the plugin fails to verify user capabilities before disclosing this information, unauthenticated attackers can access sensitive business data without any authentication or user interaction. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting its medium severity due to the confidentiality impact and ease of exploitation (network vector, no privileges required, no user interaction). While the vulnerability does not allow attackers to alter data or disrupt service, the unauthorized disclosure of financial and order statistics can provide valuable intelligence for further attacks or competitive analysis. No patches or official fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability was publicly disclosed on December 16, 2025, with Wordfence as the assigner. Given the widespread use of WordPress and LearnPress for e-learning platforms, this vulnerability poses a notable risk to organizations relying on this plugin for online course management and sales.

The primary impact of CVE-2025-13956 is the unauthorized disclosure of sensitive business information, specifically order statistics including total revenue and order status counts. For organizations, this can lead to loss of confidentiality, potentially exposing financial performance and sales data to competitors or malicious actors. Such information leakage can facilitate targeted phishing, social engineering, or competitive intelligence gathering. Although the vulnerability does not allow modification of data or denial of service, the exposure of confidential metrics can undermine trust with customers and partners. Educational institutions, e-learning providers, and businesses using LearnPress for monetized courses are particularly at risk. The ease of exploitation—requiring no authentication or user interaction—means attackers can automate data harvesting at scale. While no known exploits exist yet, the vulnerability's public disclosure increases the likelihood of future exploitation attempts. Organizations worldwide using this plugin should consider the risk of data exposure and potential reputational damage.

To mitigate CVE-2025-13956, organizations should: 1) Monitor for and apply any official patches or updates from the LearnPress plugin vendor promptly once available. 2) In the absence of patches, implement web application firewall (WAF) rules to restrict access to the statistics endpoints, allowing only trusted IP addresses or authenticated users. 3) Review and harden WordPress user roles and permissions to ensure minimal exposure of sensitive plugin functions. 4) Conduct regular security audits and penetration tests focusing on plugin endpoints to detect unauthorized access. 5) Consider disabling or restricting the statistics feature if it is not essential to operations. 6) Monitor logs for unusual access patterns to the statistics function indicative of exploitation attempts. 7) Educate site administrators about the risks of unauthorized data exposure and the importance of timely updates. These targeted actions go beyond generic advice by focusing on access control and monitoring specific to the vulnerable functionality.