LearnPress – WordPress LMS Plugin < 4.3.2 – Missing Authorization to Unauthenticated Orders Statistics Exposure | CVE 2025-13956 | Plugin Vulnerabilities

Description

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders statistics, including total revenue summaries and order status counts

Affects Plugins

Fixed in 4.3.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c4b833c3-818d-4646-bd6d-8b3be13ea0f1

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Sarawut Poolkhet (MisterHelloz)

Verified

No

WPVDB ID

b4c0e309-45d1-4b00-875d-ec8a76910253

Timeline

Publicly Published

2025-12-15 (about 2 months ago)

Added

2025-12-15 (about 2 months ago)

Last Updated

2025-12-16 (about 2 months ago)

Other

Published

Title

Published

2025-05-19

Title

Majestic Support < 1.1.1 - Missing Authorization

Published

2026-02-05

Title

LottieFiles < 3.1.0 - Missing Authorization

Published

2024-12-19

Title

Royal Elementor Addons < 1.7.1002 - Missing Authorization

Published

2023-09-18

Title

Super Store Finder < 6.9.4 - Unauthenticated Email Creation/Sending

Published

2025-12-11

Title

Laser <= 1.1.1 - Missing Authorization