CVE-2025-66054 is a security vulnerability identified in the ThimPress LearnPress plugin, a widely used WordPress Learning Management System (LMS) tool. The vulnerability arises from missing authorization checks, meaning that certain actions or data access points within LearnPress do not properly verify whether the requesting user has the necessary permissions. This incorrect configuration of access control security levels allows attackers to bypass restrictions and perform unauthorized operations. The affected versions include all releases up to and including 4.2.9.4. Although no public exploits have been reported yet, the nature of the vulnerability suggests that exploitation could be straightforward, as it does not require authentication or user interaction. This could lead to unauthorized disclosure of sensitive educational data, modification of course content, or disruption of LMS functionality. The absence of a CVSS score indicates that the vulnerability is newly published and pending detailed scoring, but the technical characteristics imply a significant risk. The vulnerability was reserved in late November 2025 and published in mid-December 2025, indicating recent discovery. The lack of available patches at the time of reporting necessitates immediate attention to access control policies and monitoring for suspicious activity within affected LearnPress installations.

For European organizations, especially educational institutions and e-learning providers using LearnPress, this vulnerability poses a serious risk. Unauthorized access could lead to exposure of personal data of students and staff, manipulation of course materials, and potential disruption of learning services. This could result in regulatory non-compliance under GDPR due to data breaches, reputational damage, and operational downtime. The ease of exploitation without authentication increases the likelihood of attacks, including from opportunistic threat actors. Given the widespread use of WordPress and LearnPress in Europe, the impact could be broad, affecting both public and private sector entities. The integrity of educational content and confidentiality of user data are at particular risk, potentially undermining trust in digital learning platforms.

Organizations should immediately audit their LearnPress installations to identify affected versions (<= 4.2.9.4). Until official patches are released, implement strict access control policies at the web server and application levels, such as IP whitelisting and role-based restrictions. Disable or restrict public access to sensitive LearnPress endpoints where possible. Monitor logs for unusual access patterns or unauthorized attempts to access restricted functions. Consider deploying Web Application Firewalls (WAFs) with custom rules to block suspicious requests targeting LearnPress. Educate administrators and users about the vulnerability and encourage prompt updates once patches become available. Regularly back up LearnPress data to enable recovery in case of compromise. Engage with ThimPress support channels for updates on patch releases and vulnerability advisories.