CVE-2026-25002 identifies an authentication bypass vulnerability in the ThimPress LearnPress – Sepay Payment plugin, which is widely used to enable payment processing within the LearnPress e-learning management system on WordPress. The vulnerability arises from the plugin allowing authentication to be circumvented via an alternate path or communication channel, effectively enabling attackers to perform authentication abuse. This means an attacker can gain unauthorized access to payment functionalities without valid credentials, potentially manipulating payment transactions or accessing sensitive payment data. The affected versions include all versions up to and including 4.0.0. Although no public exploits have been reported yet, the vulnerability's nature suggests it could be exploited remotely without user interaction, increasing risk. The lack of a CVSS score indicates the need for a severity assessment based on impact and exploitability factors. The vulnerability impacts the confidentiality and integrity of payment data and the availability of payment services within the affected plugin. Since LearnPress is a popular WordPress LMS plugin and Sepay is a payment gateway integration, the vulnerability could affect numerous educational institutions and businesses relying on these tools for online course payments. The absence of patches at the time of publication necessitates immediate attention to alternative mitigations until official fixes are released.

The authentication bypass vulnerability could allow attackers to gain unauthorized access to payment processing functions within the LearnPress – Sepay Payment plugin. This unauthorized access can lead to fraudulent transactions, manipulation or theft of payment data, and disruption of payment services. Organizations using this plugin for e-learning payments may face financial losses, reputational damage, and potential legal liabilities due to compromised payment integrity. The breach of payment authentication mechanisms undermines trust in the platform and could expose sensitive customer payment information. Additionally, attackers might leverage this access to pivot to other parts of the affected systems, increasing the scope of compromise. The impact is particularly severe for educational institutions, online course providers, and businesses relying on this plugin for secure payment processing. The vulnerability's ease of exploitation without authentication or user interaction further elevates the risk profile.

Until an official patch is released by ThimPress, organizations should implement the following mitigations: 1) Restrict access to the LearnPress – Sepay Payment plugin’s administrative and payment endpoints using web application firewalls (WAFs) or IP whitelisting to limit exposure. 2) Monitor logs for unusual access patterns or unauthorized attempts to reach payment processing URLs. 3) Disable or temporarily remove the Sepay Payment integration if feasible, to eliminate the attack surface. 4) Enforce strict user role permissions within WordPress to minimize privilege escalation risks. 5) Keep WordPress core and all plugins updated to reduce the risk of chained exploits. 6) Conduct regular security audits and penetration testing focused on payment workflows. 7) Educate staff and users about potential phishing or social engineering attempts that could exploit this vulnerability. Once ThimPress releases a patch, apply it immediately and verify the fix through testing.