LearnPress < 4.3.0 - Arbitrary Callback Execution to Information Exposure

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/loadcontentviaajax which allows arbitrary callback execution of...

CVE-2025-11368 LearnPress – WordPress LMS Plugin <= 4.2.9.4 - Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/loadcontentviaajax which allows arbitrary callback execution of...

CVE-2025-11368

The CWE/CVE entry CVE-2025-11368 maps to the LearnPress WordPress LMS Plugin. Affected versions are up to 4.2.9.4 (and versions prior to 4.2.9.5 as per PT-2025-47660). The root cause is missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax, enabling arbitrary callbac...