CVE-2025-11368
BaseFortify
Publication date: 2025-11-21
Last updated on: 2025-11-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpres | learnpress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the LearnPress WordPress LMS Plugin up to version 4.2.9.4. It is caused by missing capability checks in a REST API endpoint (/wp-json/lp/v1/load_content_via_ajax), which allows unauthenticated attackers to execute admin-only template methods. As a result, attackers can retrieve sensitive information such as admin curriculum HTML, quiz questions with correct answers, course materials, and other educational content by supplying valid numeric IDs.
How can this vulnerability impact me? :
The vulnerability can lead to sensitive information disclosure, allowing unauthorized users to access confidential educational content and quiz answers. This could compromise the integrity of courses, enable cheating, and expose proprietary or private educational materials to unauthorized parties.