TL;DR
LearnPress, one of the most popular LMS plugins for WordPress, exposes an admin tools endpoint that never checks whether a caller is logged in. Sending a single POST request lets an attacker add or remove indexes from any table, corrupting configuration data and crippling performance. Upgrading to LearnPress 4.2.9.4 closes the hole.
1. Summary
| CVE ID | CVE-2025-11372 |
| Affected Product(s) | ThimPress LearnPress for WordPress, all versions ≤ 4.2.9.3 |
| Volerion Risk Score | 7.5 / 10 |
| Exploit Status | No public proof-of-concept as of publication |
| CISA KEV | No |
2. Context – Why a missing permission callback matters
LearnPress powers tens of thousands of online courses, including many small universities and corporate training portals. WordPress administrators often leave REST API endpoints exposed to the public Internet because the core platform relies on them for Gutenberg and other modern features. When an endpoint that is meant for privileged database maintenance accepts unauthenticated requests, the blast radius extends to every site visitor.
The vulnerable code lives inside inc/rest-api/v1/admin/class-lp-admin-rest-tools-controller.php. The controller registers the route /lp/v1/admin/tools/create-indexs and passes __return_true as the permission callback. WordPress interprets this constant as, quite literally, “always allow”.
3. Technical Details
The /create-indexs route ultimately calls LP_DB::create_indexs. That helper iterates over a caller-supplied array of table names and performs two actions:
- If the index does not exist it runs
ALTER TABLE <table> ADD INDEX ..., creating it. - If the index does exist it drops and recreates it.
Because the route accepts any table name, an attacker can point it at wp_options, wp_users or custom plugin tables. Dropping a multi-column index on wp_options forces WordPress to scan hundreds of thousands of rows for every option lookup, driving CPU usage to 100 percent and ballooning page load times.
A trivial exploit only needs a single unauthenticated POST request. No nonce or CSRF token is required.
curl -X POST "https://victim.example/wp-json/lp/v1/admin/tools/create-indexs" \
-H "Content-Type: application/json" \
-d '{"tables":["wp_options"]}'On a default installation this returns a JSON success message even though the caller never logged in.
The patch released in 4.2.9.4 replaces __return_true with a capability check that requires the manage_options permission, which by default maps to administrator accounts, and moves the entire index manipulation logic behind current_user_can.
4. Impact
Attackers gain write-level access to structural components of the database. The flaw does not expose raw data, but it enables destructive integrity attacks:
• Removing the primary option name index leaves WordPress unable to locate cached settings, which effectively bricks administrative pages.
• Tampering with indexes on InnoDB tables can inflate disk usage and I/O wait, causing denial of service.
• Course data stored by LearnPress itself can be made inaccessible, leading to loss of progress tracking and enrollment information.
Because no authentication or user interaction is needed, automated scanners can weaponize the bug to ransom thousands of sites in a single crawl.
5. Remediation
Upgrade to LearnPress 4.2.9.4 or later. The vendor committed the fix in cf940a4375 and released the patched plugin to the WordPress repository within hours of disclosure.
If you cannot patch immediately, apply one of these stop-gaps:
• Block access to /wp-json/lp/v1/admin/tools/* at the web server or WAF layer.
• Disable the LearnPress REST API by adding add_filter( 'lp_rest_enabled', '__return_false' ); to functions.php.
• Restrict access to wp-json to trusted IP addresses, although this may break other plugins that rely on the API.
None of these mitigations replace the need for an update, because future endpoints might suffer from similar permission oversights.
6. Timeline
| Date (UTC) | Milestone |
|---|---|
| 2025-10-18 07:15 | CVE-2025-11372 published |
| 2025-10-18 07:18 | Volerion completes enrichment and publishes risk score |
7. References
- Patch commit: https://github.com/LearnPress/learnpress/commit/cf940a437539a803e49136bdff7a53e1f2b2ca44
- LearnPress database helper (source): https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/Databases/class-lp-db.php#L291
- REST tools controller (source): https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/admin/class-lp-admin-rest-tools-controller.php#L101
- Wordfence advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/d2365e92-d70d-47fa-9abe-7cbdd6336f39?source=cve
About Volerion
Volerion delivers AI-driven enrichment minutes after a CVE goes live. A single call to our REST API returns CVSS 4.0 vectors, exploitability metrics and affected products complete with remediation. Additionally, we offer different scoring profiles, complete with insight into the eight comprehensive categories that make up the final score. Our API is also available in the traditional NVD API 2.0 format, so integration is as simple as swapping hosts. Spend less time parsing CVEs and more time closing them.
How the Volerion Risk Score fits with CVSS, EPSS and KEV
At the time of writing:
- This CVE carries a CVSS 3.1 base score of 9.4, reflecting the combination of network reachability, zero authentication and high integrity impact.
- EPSS reports 0.0000, indicating there is currently insufficient telemetry to predict near-term exploitation likelihood.
- The vulnerability is not listed in CISA’s KEV, so United States federal agencies have no binding directive yet.
The Volerion Risk Score for CVE-2025-11372 is 7.5. That lands it firmly in our high-risk band. The score tempers the critical CVSS with real-world context: exploitation is easy, but the end result is data tampering rather than full remote code execution, and no working exploit has been published yet.