CVE-2025-13964 is a vulnerability identified in the LearnPress plugin for WordPress, a widely used Learning Management System (LMS) plugin developed by thimpress. The issue arises from a missing authorization check in the catch_lp_ajax function, which is responsible for handling AJAX requests related to course content management. This missing capability check means that unauthenticated attackers can send specially crafted requests to modify course contents without any authentication or user interaction. The modifications possible include adding, removing, updating, or reordering course sections and section items, thereby compromising the integrity of the LMS content. The vulnerability affects all versions up to and including 4.3.2. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges required, and no user interaction needed. The impact is limited to integrity, with no direct confidentiality or availability impact. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability is categorized under CWE-862 (Missing Authorization), highlighting the failure to enforce proper access controls on sensitive operations. Organizations using LearnPress should be aware of this risk and monitor for updates or mitigations.

The primary impact of CVE-2025-13964 is on the integrity of course content within the LearnPress LMS plugin. Unauthorized modification of course materials can lead to misinformation, disruption of learning paths, and potential reputational damage for educational institutions or organizations relying on the platform. Attackers could manipulate course structure to confuse or mislead learners, potentially affecting certification processes or learning outcomes. Although confidentiality and availability are not directly impacted, the trustworthiness of the LMS content is compromised. This could also lead to indirect impacts such as loss of user confidence, increased support costs, and potential regulatory scrutiny if educational standards are violated. Since exploitation requires no authentication and no user interaction, the vulnerability is relatively easy to exploit remotely, increasing the risk of widespread abuse. Organizations with large user bases or critical training programs are particularly vulnerable to operational disruption and damage to educational integrity.

To mitigate CVE-2025-13964, organizations should immediately verify if they are running LearnPress versions up to 4.3.2 and plan for an upgrade once a patched version is released by the vendor. In the absence of an official patch, administrators should restrict access to the AJAX endpoints related to course content modification by implementing web application firewall (WAF) rules that block unauthorized requests to catch_lp_ajax. Additionally, applying strict IP whitelisting or VPN access controls for administrative functions can reduce exposure. Monitoring web server logs for unusual or unauthorized AJAX requests targeting LearnPress endpoints can help detect exploitation attempts. Disabling or limiting plugin functionality temporarily until a fix is available may be necessary in high-risk environments. Finally, organizations should maintain regular backups of course content to enable recovery in case of unauthorized modifications. Coordinating with the plugin vendor and subscribing to security advisories will ensure timely awareness of patches and updates.