LearnPress – WordPress LMS Plugin < 4.3.2.5 – Missing Authorization to Unauthenticated Sensitive User Information Disclosure via REST API | CVE 2025-14798 | Plugin Vulnerabilities

Description

The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user first names and last names. Other information such as social profile links and enrollment are also included.

Affects Plugins

Fixed in 4.3.2.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6fb00ce4-aa82-4479-b7f6-79e7bde098c1

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

andrea bocchetti

Verified

No

WPVDB ID

b62a5e06-b81f-431f-acb0-e7ce4a34b4c3

Timeline

Publicly Published

2026-01-19 (about 3 months ago)

Added

2026-01-19 (about 3 months ago)

Last Updated

2026-01-20 (about 3 months ago)

Other

Published

Title

Published

2023-11-20

Title

PayTR Taksit Tablosu < 1.3.2 - Unauthenticated Settings Update

Published

2025-01-08

Title

GS Insever Portfolio <= 1.4.5 - Missing Authorization to Authenticated (Subscriber+) CSS Injection

Published

2025-04-16

Title

WP Subscription Forms < 1.2.4 - Missing Authorization

Published

2024-04-18

Title

ShopLentor < 2.8.2 - Contributor+ Template Reset

Published

2024-05-20

Title

HT Mega < 2.5.3 - Subscriber+ Options Update