CVE-2025-11372

Name of the Vulnerable Software and Affected Versions LearnPress – WordPress LMS Plugin versions up to and including 4.2.9.2

Description The LearnPress – WordPress LMS Plugin is susceptible to data modification due to absent capability checks on Admin Tools REST endpoints. These endpoints are registered with return true as the permission callback, allowing unauthenticated attackers to perform destructive database operations. Specifically, attackers can drop indexes on any table, including WordPress core tables like wp options, create duplicate configuration entries, and degrade site performance. This is achievable through the /wp-json/lp/v1/admin/tools/create-indexs endpoint by providing table names.

Recommendations Update to version 4.2.9.4 or later.