CVE-2025-13956 - Vulnerability Details

- LearnPress – WordPress LMS Plugin <= 4.3.1 - Missing Authorization to Unauthenticated Orders Statistics Exposure

Description

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders statistics, including total revenue summaries and order status counts

Published: 2025-12-16

Score: 5.3 Medium

EPSS: 6.1% Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the LearnPress plugin's REST API. A missing capability check allows anyone who can send a request to the statistics endpoint to retrieve detailed order information, including total revenue and order status counts. This breach of data confidentiality grants unauthenticated attackers insight into the plugin's financial metrics.

Affected Systems

All installations of the LearnPress – WordPress LMS Plugin for Create and Sell Online Courses up to and including version 4.3.1 are affected. The vendor is ThimPress, and the plugin is commonly used in WordPress sites that host online courses.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of 6% suggests a moderate probability that attackers will exploit this weakness. The plugin exposes a REST API endpoint that does not require authentication, allowing remote attackers to trigger the vulnerability by simply sending a GET request to the order statistics URL. While the vulnerability does not allow control over the host, it does expose sensitive operational data. The issue is not listed in the CISA KEV catalog, but given its moderate EPSS and public visibility on the WordPress plugin repository, an immediate patch is advised.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

thimpress

LearnPress – WordPress LMS Plugin for Create and Sell Online Courses

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.3.1

No data.

Vendor	Product	Confidence	Versions
Thimpress	Learnpress	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the LearnPress plugin to the latest available version, which includes a capability check for the order statistics endpoint.
If an upgrade is not immediately possible, restrict unauthenticated access to the "/wp-json/learnpress/v1/orders/stats" endpoint by using a security plugin or web server rule that blocks the endpoint for non‑logged‑in users.
Configure the plugin or your WordPress environment to enforce a capability check for the orders statistics REST endpoint, ensuring that only authenticated users with the required role can access the data.

Generated by OpenCVE AI on April 21, 2026 at 00:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.06054.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.1/inc/rest-api/v1/frontend/class-lp-rest-orders-controller.php#L36
https://www.wordfence.com/threat-intel/vulnerabilities/id/c4b833c3-818d-4646-bd6d-8b3be13ea0f1?source=cve

History

Tue, 16 Dec 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 16 Dec 2025 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Thimpress Thimpress learnpress Wordpress Wordpress wordpress
Vendors & Products		Thimpress Thimpress learnpress Wordpress Wordpress wordpress

Tue, 16 Dec 2025 04:45:00 +0000

Type	Values Removed	Values Added
Description		The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders statistics, including total revenue summaries and order status counts
Title		LearnPress – WordPress LMS Plugin <= 4.3.1 - Missing Authorization to Unauthenticated Orders Statistics Exposure
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.1/inc/rest-api/v1/frontend/class-lp-rest-orders-controller.php#L36 https://www.wordfence.com/threat-intel/vulnerabilities/id/c4b833c3-818d-4646-bd6d-8b3be13ea0f1?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Thimpress Learnpress

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-12-16T04:31:35.001Z

Updated: 2026-04-08T17:20:44.309Z

Reserved: 2025-12-03T13:31:00.543Z

Link: CVE-2025-13956

Vulnrichment

Updated: 2025-12-16T20:45:35.087Z

NVD

Status : Deferred

Published: 2025-12-16T05:16:08.513

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13956

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T00:45:23Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object