CVE-2025-24740: 
WordPress vulnerability analysis and mitigation

The CVE-2025-24740 is an Open Redirect vulnerability discovered in ThimPress LearnPress WordPress plugin affecting versions up to and including 4.2.7.1. The vulnerability was reported by Muhamad Agil Fachrian on September 17, 2024, and was publicly disclosed on January 24, 2025. This security issue allows authenticated users with subscriber-level access or higher to perform URL redirections to untrusted sites (Patchstack, WPScan).

The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site) and has received a CVSS v3.1 base score of 4.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N. The issue stems from insufficient validation of redirect URLs, which can be exploited by authenticated users with subscriber-level privileges (Patchstack).

If exploited, this vulnerability could allow malicious actors to redirect users from legitimate sites to potentially malicious ones. This creates opportunities for phishing incidents where users might be tricked into visiting what they believe is a legitimate site before being redirected to a malicious one (Patchstack).

The vulnerability has been fixed in version 4.2.7.2 of the LearnPress plugin. Site administrators are advised to update to version 4.2.7.2 or later to remove the vulnerability. The security issue has been assessed as having a low severity impact and is considered unlikely to be exploited (Patchstack).