Atomic Edge analysis of CVE-2025-13964:
The LearnPress WordPress LMS plugin, versions up to and including 4.3.2, contains a missing capability check vulnerability in its AJAX request handling. This flaw allows unauthenticated attackers to modify course curriculum data, including adding, removing, updating, and reordering sections and items. The vulnerability has a CVSS score of 5.3, indicating medium severity.

The root cause lies in the `catch_lp_ajax` function within the `EditCurriculumAjax` class. This function processes AJAX requests for curriculum editing operations without verifying the user’s authentication or authorization. The vulnerable code path begins when an unauthenticated user sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `learnpress_ajax`. The request is then routed through the `EditCurriculumAjax::catch_lp_ajax()` method, which executes curriculum modification functions like `update_section_items_order`, `update_section`, `new_section`, `remove_section`, `new_section_item`, `update_section_item`, and `remove_section_item`. These functions perform database operations on the `learnpress_sections` and `learnpress_section_items` tables without any capability checks.

Exploitation requires sending crafted POST requests to the WordPress AJAX endpoint. Attackers target `/wp-admin/admin-ajax.php` with the parameter `action=learnpress_ajax`. The request must include specific operation parameters: `lp_ajax` set to curriculum editing actions like `update_section_items_order`, `update_section`, `new_section`, `remove_section`, `new_section_item`, `update_section_item`, or `remove_section_item`. Additional parameters like `section_id`, `course_id`, `items`, `title`, `description`, and `order` are used to specify the target course and modification details. No authentication cookies or nonce tokens are required, making the attack straightforward for unauthenticated users.

The patch addresses the vulnerability by implementing proper capability checks. The fix modifies the `EditCurriculumAjax` class to verify user permissions before processing curriculum modification requests. Specifically, the patched code adds checks using `current_user_can(‘edit_posts’)` or similar capability verification within each curriculum editing method. The patch also removes the vulnerable `LP_REST_Orders_Controller` from the REST API registration in `class-lp-core-api.php` (line 54), though this appears to be a separate security hardening measure. Before the patch, any unauthenticated request to the AJAX endpoint with the correct parameters would execute curriculum modifications. After the patch, these requests are blocked unless the user has appropriate editing capabilities.

Successful exploitation allows complete unauthorized modification of course content. Attackers can add malicious sections or items to courses, remove legitimate content, reorder curriculum elements to disrupt learning flow, and potentially inject malicious code or links into course materials. While the vulnerability doesn’t directly enable remote code execution or site takeover, it compromises the integrity of educational content and could be used for SEO spam, phishing campaigns, or content vandalism. The impact is particularly severe for educational institutions and online course providers who rely on content accuracy and trustworthiness.