CVE-2026-25002
Authentication Bypass in LearnPress Sepay Payment Plugin
Publication date: 2026-03-25
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thimpress | learnpress-sepay-payment | to 4.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-25002 is a broken authentication vulnerability that allows unauthenticated attackers to perform actions typically restricted to higher privileged users, potentially gaining administrative access to affected websites.
Such unauthorized access can lead to exposure or manipulation of sensitive data, which may impact compliance with common standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal and health information.
However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these regulations.
Can you explain this vulnerability to me?
CVE-2026-25002 is a broken authentication vulnerability in the WordPress LearnPress β Sepay Payment Plugin versions up to and including 4.0.0.
This vulnerability allows unauthenticated attackers to perform actions typically restricted to higher privileged users, potentially enabling them to gain administrative access to affected websites.
The issue is classified under the OWASP Top 10 category A7: Identification and Authentication Failures.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can bypass authentication controls and perform actions reserved for administrators or other privileged users.
This could lead to unauthorized administrative access to your website, allowing the attacker to modify content, change settings, or potentially compromise sensitive data.
Although the CVSS severity score is 7.5 (high severity), the overall impact is considered low by Patchstack due to unlikely exploitation.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is patched in version 4.0.1 of the LearnPress β Sepay Payment Plugin.
Immediate updating to version 4.0.1 or later is strongly recommended to mitigate the risk.
Patchstack users can enable auto-updates specifically for vulnerable plugins to quickly reduce exposure.