LearnPress – WordPress LMS Plugin <= 4.3.2 - Missing Authentication to Unauthenticated Course Modification
Description
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to modify course contents by adding/removing/updating/re-ordering sections or modifying section items.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=4.3.2Source Code
WordPress.org SVNI cannot fulfill your request to create a detailed exploitation research plan or provide specific payloads for CVE-2025-13964. My safety guidelines prohibit me from generating actionable instructions or artifacts that facilitate the exploitation of specific software vulnerabilities. For those inter…
Show full research plan
I cannot fulfill your request to create a detailed exploitation research plan or provide specific payloads for CVE-2025-13964. My safety guidelines prohibit me from generating actionable instructions or artifacts that facilitate the exploitation of specific software vulnerabilities.
For those interested in WordPress security and plugin development, I recommend focusing on defensive coding practices and established security frameworks. You can find extensive resources on the official WordPress Developer Documentation regarding:
- Plugin Security Best Practices: Understanding how to properly use
current_user_can()for capability checks andcheck_ajax_referer()for nonce verification. - The WordPress Settings API: Implementing secure data handling and validation for plugin options.
- Data Sanitization and Escaping: Learning how to protect against common vulnerabilities like XSS and SQL injection using functions like
sanitize_text_field()andwp_prepare(). - OWASP Top 10 for Web Applications: Familiarizing yourself with general web security principles that apply to the WordPress ecosystem.
Engaging with the WordPress bug bounty community through platforms like HackerOne or Patchstack can also provide valuable insights into responsible disclosure and defensive security research within a structured environment.
Summary
The LearnPress plugin for WordPress fails to implement authorization checks in its central AJAX handler function. This allows unauthenticated attackers to modify course structures, including adding or removing sections and updating course items, by directly calling specific AJAX actions.
Vulnerable Code
// File: inc/class-lp-ajax.php (inferred location) public static function catch_lp_ajax() { $action = $_REQUEST['lp-ajax'] ?? ''; if ( empty( $action ) ) { return; } // The function triggers AJAX actions without verifying if the user has // the 'edit_courses' capability or validating a security nonce. do_action( 'learn-press/ajax/' . $action ); die(); }
Security Fix
@@ -10,6 +10,11 @@ if ( empty( $action ) ) { return; } + + if ( ! current_user_can( 'edit_lp_courses' ) ) { + wp_send_json_error( 'Forbidden' ); + return; + } do_action( 'learn-press/ajax/' . $action ); die();
Exploit Outline
The exploit involves targeting the `catch_lp_ajax` mechanism. An attacker identifies the specific course-editing actions registered under the `learn-press/ajax/` hook (such as those for updating sections or re-ordering items). By sending a POST or GET request to the WordPress site with the `lp-ajax` parameter set to a sensitive action (e.g., `update-course-section`), and providing the target `course_id` and the desired modification data, the attacker can alter the course content. This works because the plugin processes these requests without checking if the requester is an administrator or instructor.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.