LearnPress – WordPress LMS Plugin < 4.2.9.4 – Missing Authorization to Unauthenticated Database Table Manipulation | CVE 2025-11372 | Plugin Vulnerabilities

Description

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to modification of data in all versions up to, and including, 4.2.9.2. This is due to missing capability checks on the Admin Tools REST endpoints which are registered with permission_callback set to __return_true. This makes it possible for unauthenticated attackers to perform destructive database operations including dropping indexes on any table (including WordPress core tables like wp_options), creating duplicate configuration entries, and degrading site performance via the /wp-json/lp/v1/admin/tools/create-indexs endpoint granted they can provide table names.

Affects Plugins

Fixed in 4.2.9.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d2365e92-d70d-47fa-9abe-7cbdd6336f39

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucas Montes (Nirox)

Verified

No

WPVDB ID

e03b2dad-cfbb-43b7-9715-0b6c754e9745

Timeline

Publicly Published

2025-10-17 (about 6 months ago)

Added

2025-10-17 (about 6 months ago)

Last Updated

2025-10-18 (about 6 months ago)

Other

Published

Title

Published

2024-03-12

Title

Bulgarisation for WooCommerce < 3.0.15 - Missing Authorization

Published

2025-04-24

Title

Smart Hashtags [#hashtagger] <= 7.2.3 - Missing Authorization

Published

2025-10-17

Title

Kognetiks Chatbot < 2.3.6 - Unauthenticated Limited File Uploads and Conversation Erasing

Published

2026-02-19

Title

GLB < 1.2.3 - Missing Authorization

Published

2023-10-06

Title

Contact Form builder with drag & drop - Kali Forms < 2.3.29 - Missing Authorization via get_log