CVE-2025-14387 is a stored cross-site scripting (XSS) vulnerability identified in the LearnPress – WordPress LMS Plugin, a widely used learning management system plugin for WordPress. The vulnerability affects all versions up to and including 4.3.1. It stems from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient input sanitization and output escaping. This flaw allows authenticated users with Subscriber-level privileges or higher to inject arbitrary JavaScript code into pages managed by the plugin. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the victim's session. The vulnerability requires authentication but no additional user interaction beyond viewing the affected page. The CVSS v3.1 base score is 6.4, indicating a medium severity level, with attack vector being network, low attack complexity, privileges required at low level, no user interaction, and scope changed. The impact primarily affects confidentiality and integrity, with no direct availability impact. No public exploits have been reported yet, but the vulnerability poses a risk to any WordPress site using the LearnPress plugin, especially those with multiple user roles and sensitive data. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps.

The vulnerability allows attackers with minimal privileges (Subscriber-level) to inject malicious scripts that execute in the browsers of other users, potentially compromising user sessions, stealing sensitive information, or performing unauthorized actions on behalf of victims. For organizations, this can lead to data breaches, loss of user trust, and reputational damage. Educational institutions and businesses relying on LearnPress for e-learning may face disruption and compliance issues if user data is exposed. Since the attack requires authentication but no user interaction, it can be exploited by insiders or compromised accounts, increasing the risk of lateral movement within the system. Although availability is not directly impacted, the integrity and confidentiality of user data and site content are at risk. The medium CVSS score reflects these moderate but significant impacts. The scope of affected systems is broad given LearnPress's popularity in WordPress LMS deployments worldwide.

Organizations should immediately verify if their WordPress installations use the LearnPress plugin and identify the plugin version. Until an official patch is released, administrators should restrict Subscriber-level user capabilities to the minimum necessary and monitor for suspicious activity. Implementing a Web Application Firewall (WAF) with rules to detect and block typical XSS payloads targeting LearnPress can reduce risk. Site owners should enforce strict Content Security Policy (CSP) headers to limit script execution origins. Regularly audit user-generated content for malicious scripts and consider temporarily disabling or limiting features that allow content injection by low-privilege users. Educate users and administrators about the risk and encourage strong authentication practices to prevent account compromise. Once a patch is available, prioritize immediate update of the plugin. Additionally, review and harden WordPress security configurations and keep all plugins and core software up to date to reduce exposure to similar vulnerabilities.