Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
REST API is network-accessible with low complexity; subscriber account required (PR:L); confidentiality-only impact on enrollment metadata with no integrity or availability effect.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The LearnPress - WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the 'userId' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the course enrollment progress and completion data belonging to any instructor or administrator account on the site. This IDOR does not apply when the target user is a regular subscriber, as the guard correctly blocks cross-subscriber access; exploitation is limited to cases where the victim user holds the LP_TEACHER_ROLE or administrator role.
AnalysisAI
Course enrollment data exposure in LearnPress WordPress LMS plugin (all versions through 4.3.9.1) enables authenticated subscribers to read the course progress and completion records of any instructor or administrator by supplying an arbitrary value to the userId REST API parameter. The lazy load controller accepts the caller-supplied key without verifying ownership, bypassing authorization for LP_TEACHER_ROLE and administrator accounts while a partial guard correctly blocks subscriber-to-subscriber cross-access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following: (1) a valid WordPress account at subscriber level or above on the target site - the CVSS PR:L metric confirms authentication is required; (2) the target user account must hold either the LP_TEACHER_ROLE (instructor) or the WordPress administrator role, as the existing guard correctly blocks cross-subscriber access and regular subscriber accounts cannot be targeted; (3) LearnPress version 4.3.9.1 or earlier must be installed and active; (4) the attacker must know or enumerate the integer user ID of a qualifying instructor or administrator, which is trivial given WordPress's sequential ID scheme and the public `/wp-json/wp/v2/users` endpoint available on many sites. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 score (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately characterizes the attack profile: the endpoint is network-accessible, exploitation complexity is low, a subscriber account is sufficient, and the impact is strictly confidential - no integrity or availability loss occurs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a WordPress subscriber account - obtained via self-registration or a compromised credential - sends an authenticated REST API request to the LearnPress lazy load controller, setting `userId` to the sequential integer ID of a known instructor or site administrator. Because no ownership check is performed for elevated-role target accounts, the server returns the targeted instructor's full course enrollment progress and completion data. … |
| Remediation | Upgrade LearnPress to version 4.4.0 or later: a WordPress SVN changeset from 4.3.9.1 to 4.4.0 (https://plugins.trac.wordpress.org/changeset?old_path=%2Flearnpress/tags/4.3.9.1&new_path=%2Flearnpress/tags/4.4.0) indicates that 4.4.0 contains the authorization fix; however, the release of this version as a distributed WordPress.org update has not been independently confirmed at time of analysis - verify availability via the WordPress plugin dashboard before applying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Sensitive information exposure in the LearnPress LMS plugin for WordPress (versions up to and including 4.4.1) lets unau
Stored Cross-Site Scripting in the LearnPress WordPress LMS plugin (versions up to and including 4.4.0) allows authentic
Payment bypass in LearnPress WordPress LMS Plugin (all versions ≤ 4.3.5) allows authenticated subscribers to enroll in a
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40906
GHSA-2qhv-qfjf-5jf4