CVE-2026-25002
Received Received - Intake
Authentication Bypass in LearnPress Sepay Payment Plugin

Publication date: 2026-03-25

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in ThimPress LearnPress – Sepay Payment learnpress-sepay-payment allows Authentication Abuse.This issue affects LearnPress – Sepay Payment: from n/a through <= 4.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25002
EUVD
EUVD-2026-15610
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
thimpress learnpress-sepay-payment to 4.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25002 is a broken authentication vulnerability in the WordPress LearnPress – Sepay Payment Plugin versions up to and including 4.0.0.

This vulnerability allows unauthenticated attackers to perform actions typically restricted to higher privileged users, potentially enabling them to gain administrative access to affected websites.

The issue is classified under the OWASP Top 10 category A7: Identification and Authentication Failures.

Impact Analysis

An attacker exploiting this vulnerability can bypass authentication controls and perform actions reserved for administrators or other privileged users.

This could lead to unauthorized administrative access to your website, allowing the attacker to modify content, change settings, or potentially compromise sensitive data.

Although the CVSS severity score is 7.5 (high severity), the overall impact is considered low by Patchstack due to unlikely exploitation.

Mitigation Strategies

The vulnerability is patched in version 4.0.1 of the LearnPress – Sepay Payment Plugin.

Immediate updating to version 4.0.1 or later is strongly recommended to mitigate the risk.

Patchstack users can enable auto-updates specifically for vulnerable plugins to quickly reduce exposure.

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Compliance Impact

CVE-2026-25002 is a broken authentication vulnerability that allows unauthenticated attackers to perform actions typically restricted to higher privileged users, potentially gaining administrative access to affected websites.

Such unauthorized access can lead to exposure or manipulation of sensitive data, which may impact compliance with common standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal and health information.

However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25002. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart