CVE-2025-11372

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-11372

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-11372.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-11372

Published

2025-10-18T07:15:34.837Z

Modified

2025-11-16T12:27:06.169077Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator

Summary

[none]

Details

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to modification of data in all versions up to, and including, 4.2.9.2. This is due to missing capability checks on the Admin Tools REST endpoints which are registered with permissioncallback set to _returntrue. This makes it possible for unauthenticated attackers to perform destructive database operations including dropping indexes on any table (including WordPress core tables like wpoptions), creating duplicate configuration entries, and degrading site performance via the /wp-json/lp/v1/admin/tools/create-indexs endpoint granted they can provide table names.

References

Affected packages

Git / github.com/learnpress/learnpress

Affected ranges

Type: GIT
Repo: https://github.com/learnpress/learnpress
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

cf940a437539a803e49136bdff7a53e1f2b2ca44

Affected versions

2.*

2.0.0-beta.1

2.0.6

2.0.9

2.1.0

2.1.3

2.1.4

2.1.5.2

2.1.5.3

2.1.6

2.1.7

2.1.8

3.*

3.0.0-closebeta.1

3.0.0-closebeta.2

3.0.0-openbeta.1

3.0.0-openbeta.2

3.0.0-openbeta.3

3.0.0-openbeta.4

3.0.0-openbeta.5

3.2.1

3.2.2

3.2.5.2

4.*

4.0.0-beta-3

4.1.4-beta-3

4.1.4.1-beta-1

4.2.6.4-beta-1

4.2.6.4-beta.4

v1.*

v1.0

Other

wrong_on_check_user_passed_course