LearnPress WordPress LMS Plugin Sensitive Information Disclosure Vulnerability

A vulnerability allowing sensitive information disclosure exists in the LearnPress WordPress LMS Plugin, affecting all versions through 4.2.9.4. The issue arises from inadequate capability checks in the REST endpoint '/wp-json/lp/v1/load_content_via_ajax', which permits unauthenticated users to execute arbitrary callbacks of admin-only template methods. This flaw enables the retrieval of confidential educational content, such as admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive data, via the REST API, provided valid numeric IDs are supplied.

Impact

Exploitation of this vulnerability allows unauthenticated users to access sensitive educational information, including admin curriculum details, quiz questions with correct answers, and other confidential course materials, through the REST API.

Reproduction

To reproduce this vulnerability, send a request to the '/wp-json/lp/v1/load_content_via_ajax' endpoint without authentication. Include a valid numeric ID and specify a callback that targets an admin-only template method. The absence of proper authorization checks will allow the execution of the callback and the retrieval of sensitive information.

Remediation

Users are advised to update the LearnPress WordPress LMS Plugin to version 4.3.0 or later.