Auth bypass in Thimpress Learnpress – Wordpress Lms Plugin For Create And Sell Online Courses
CVE-2025-14802
The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch betw…
Vulnerability class: IDOR (Insecure Direct Object Reference)
EPSS: 0.000 (5.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.4 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L.
Affected products
Weakness classification (CWE)
References
- www.wordfence.com/threat-intel/vulnerabilities/id/884c4508-1ee1-4384-9fc2-29e2c…
- plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/fron…
- plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/fron…
- plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/fron…
- plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.3/inc/rest-api/v1/fron…
Frequently asked questions
- What is CVE-2025-14802?
- CVE-2025-14802 is a medium-severity vulnerability in Thimpress Learnpress – Wordpress Lms Plugin For Create And Sell Online Courses, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 5.4/10. Published 2026-01-07.
- How severe is CVE-2025-14802?
- Medium severity. CVSS v3 base score is 5.4 out of 10.