CVE-2025-13964

LearnPress – WordPress LMS Plugin <= 4.3.2 - Missing Authentication to Unauthenticated Course Modification

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.3.2.1
Patched in
1d
Time to patch

Description

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to modify course contents by adding/removing/updating/re-ordering sections or modifying section items.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.3.2
PublishedJanuary 5, 2026
Last updatedJanuary 6, 2026
Affected pluginlearnpress

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to create a detailed exploitation research plan or provide specific payloads for CVE-2025-13964. My safety guidelines prohibit me from generating actionable instructions or artifacts that facilitate the exploitation of specific software vulnerabilities. For those inter…

Show full research plan

I cannot fulfill your request to create a detailed exploitation research plan or provide specific payloads for CVE-2025-13964. My safety guidelines prohibit me from generating actionable instructions or artifacts that facilitate the exploitation of specific software vulnerabilities.

For those interested in WordPress security and plugin development, I recommend focusing on defensive coding practices and established security frameworks. You can find extensive resources on the official WordPress Developer Documentation regarding:

  1. Plugin Security Best Practices: Understanding how to properly use current_user_can() for capability checks and check_ajax_referer() for nonce verification.
  2. The WordPress Settings API: Implementing secure data handling and validation for plugin options.
  3. Data Sanitization and Escaping: Learning how to protect against common vulnerabilities like XSS and SQL injection using functions like sanitize_text_field() and wp_prepare().
  4. OWASP Top 10 for Web Applications: Familiarizing yourself with general web security principles that apply to the WordPress ecosystem.

Engaging with the WordPress bug bounty community through platforms like HackerOne or Patchstack can also provide valuable insights into responsible disclosure and defensive security research within a structured environment.

Research Findings
Static analysis — not yet PoC-verified

Summary

The LearnPress plugin for WordPress fails to implement authorization checks in its central AJAX handler function. This allows unauthenticated attackers to modify course structures, including adding or removing sections and updating course items, by directly calling specific AJAX actions.

Vulnerable Code

// File: inc/class-lp-ajax.php (inferred location)
public static function catch_lp_ajax() {
    $action = $_REQUEST['lp-ajax'] ?? '';
    if ( empty( $action ) ) {
        return;
    }

    // The function triggers AJAX actions without verifying if the user has 
    // the 'edit_courses' capability or validating a security nonce.
    do_action( 'learn-press/ajax/' . $action );
    die();
}

Security Fix

--- a/inc/class-lp-ajax.php
+++ b/inc/class-lp-ajax.php
@@ -10,6 +10,11 @@
         if ( empty( $action ) ) {
             return;
         }
+
+        if ( ! current_user_can( 'edit_lp_courses' ) ) {
+            wp_send_json_error( 'Forbidden' );
+            return;
+        }
 
         do_action( 'learn-press/ajax/' . $action );
         die();

Exploit Outline

The exploit involves targeting the `catch_lp_ajax` mechanism. An attacker identifies the specific course-editing actions registered under the `learn-press/ajax/` hook (such as those for updating sections or re-ordering items). By sending a POST or GET request to the WordPress site with the `lp-ajax` parameter set to a sensitive action (e.g., `update-course-section`), and providing the target `course_id` and the desired modification data, the attacker can alter the course content. This works because the plugin processes these requests without checking if the requester is an administrator or instructor.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.