CVE-2025-22740: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in Automattic Sensei LMS plugin versions through 4.24.4. The vulnerability was discovered by David Ojeda Guijarro and was publicly disclosed on March 27, 2025. This security issue has been assigned CVE-2025-22740 and affects the access control mechanisms within the Sensei LMS WordPress plugin (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 base score of 5.3 (Medium). The vulnerability vector is described as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed. The vulnerability allows for exploitation of incorrectly configured access control security levels (Patchstack).

The vulnerability has been assessed with a low severity impact. It primarily affects the confidentiality of the system, with potential unauthorized access to information, while having no direct impact on system integrity or availability (Patchstack).

The vulnerability has been fixed in version 4.24.5 of the Sensei LMS plugin. Users are advised to update to version 4.24.5 or later to remove the vulnerability. For additional protection, Patchstack users can enable auto-update functionality for vulnerable plugins (Patchstack).