CVE-2025-67536 is a stored Cross-site Scripting (XSS) vulnerability identified in the ThimPress LearnPress plugin, a popular WordPress plugin used for creating and managing online learning platforms. The vulnerability exists due to improper neutralization of input during web page generation, which allows malicious actors to inject and store arbitrary JavaScript code within the application. When other users access the affected pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability affects LearnPress versions up to and including 4.2.9.4. The CVSS 3.1 base score is 6.5, with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating that the attack can be performed remotely over the network with low attack complexity but requires some level of privileges and user interaction. The scope is changed, meaning the vulnerability impacts components beyond the initially vulnerable module, increasing its potential impact. Although no known exploits are currently reported in the wild, the presence of stored XSS in a widely used e-learning plugin poses a significant risk, especially as attackers often target educational platforms. The vulnerability can compromise confidentiality by stealing cookies or credentials, integrity by altering displayed content, and availability by executing disruptive scripts. The plugin’s widespread use in European educational institutions and enterprises makes this a relevant threat for the region.

For European organizations, especially educational institutions and enterprises using WordPress with LearnPress, this vulnerability can lead to unauthorized access to user accounts, data leakage, and manipulation of learning content. Attackers could exploit the stored XSS to hijack sessions of administrators or instructors, potentially gaining elevated privileges to alter course materials or user data. This could disrupt learning operations, damage organizational reputation, and violate data protection regulations such as GDPR if personal data is compromised. The medium severity score reflects the need for timely remediation to prevent exploitation. Given the collaborative nature of e-learning platforms, the impact extends beyond individual users to the broader organizational ecosystem. Additionally, the scope change in the vulnerability increases the risk of widespread impact across multiple components of the platform.

1. Monitor official ThimPress LearnPress channels for security updates and apply patches immediately once available. 2. Until patches are released, restrict user roles and permissions to minimize the number of users who can submit content that is rendered without proper sanitization. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting LearnPress endpoints. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Conduct regular security audits and code reviews focusing on input validation and output encoding in customizations or extensions of LearnPress. 6. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted content within the platform. 7. Use security plugins that provide additional XSS protection for WordPress environments. 8. Log and monitor unusual user activities that may indicate exploitation attempts.