CVE-2025-64251

Vulnerability

Overview CVE-2025-64251 is a missing authorization vulnerability in the WordPress plugin Ultimate Learning Pro (indeed-learning-pro), affecting versions from n/a through 3.9.3. The plugin fails to properly enforce access controls on certain endpoints, allowing exploitation of incorrectly configured access control security levels [1].

Exploitation

An attacker can exploit this vulnerability without requiring authentication or special privileges. The issue is believed to be exploitable over the network, enabling unauthenticated attackers to send crafted requests to trigger content deletion operations. No user interaction is needed for exploitation, and the attack complexity is considered low [1].

Impact

Successful exploitation allows an attacker to delete arbitrary content from the affected WordPress site, including images, posts, and pages. This can lead to significant data loss and disruption of site functionality. The CVSS v3 base score is 4.9 (Medium), with a focus on integrity impact [1].

Mitigation

The vendor, azzaroco, has released a patched version. Users are strongly advised to update the plugin to version 3.9.4 or later. If immediate update is not possible, temporary measures such as disabling the plugin or implementing web application firewall rules should be considered [1].