CVE-2025-11372: 
WordPress vulnerability analysis and mitigation

The LearnPress – WordPress LMS Plugin for WordPress contains a missing authorization vulnerability (CVE-2025-11372) discovered on October 18, 2025. The vulnerability affects all versions up to and including 4.2.9.2. The issue stems from missing capability checks on the Admin Tools REST endpoints which are registered with permissioncallback set to _return_true (NVD).

The vulnerability exists due to the Admin Tools REST endpoints being registered with permissioncallback set to _return_true, effectively bypassing authentication checks. This misconfiguration allows unauthenticated attackers to access administrative functionality through the /wp-json/lp/v1/admin/tools/create-indexs endpoint. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) and is classified as CWE-862: Missing Authorization (NVD).

When exploited, this vulnerability allows unauthenticated attackers to perform destructive database operations including dropping indexes on any table (including WordPress core tables like wp_options), creating duplicate configuration entries, and degrading site performance. The attacker only needs to be able to provide valid table names to execute these operations (NVD).

A fix has been implemented in a newer version of the plugin. Users should update their LearnPress plugin to a version newer than 4.2.9.2. The fix involves proper implementation of authorization checks on the Admin Tools REST endpoints (NVD).