Skip to main content

LearnPress CVE-2026-13765

| EUVDEUVD-2026-45137 HIGH
Missing Authorization (CWE-862)
2026-07-17 Wordfence GHSA-c7j6-mr7m-857j
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
HIGH
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network REST endpoint with no user interaction (AV:N/AC:L/PR:N/UI:N); pure disclosure of quiz answer data gives C:H with no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 05:17 vuln.today
CVE Published
Jul 17, 2026 - 03:43 cve.org
HIGH 7.5

DescriptionNVD

The LearnPress - WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.1 via the check_answer. This makes it possible for unauthenticated attackers to extract the correct-answer markers, full option lists, explanations, and question content for any quiz question on the site - including questions belonging to paid courses the attacker is not enrolled in.

AnalysisAI

Sensitive information exposure in the LearnPress LMS plugin for WordPress (versions up to and including 4.4.1) lets unauthenticated attackers pull correct-answer markers, complete option lists, explanations, and full question content for any quiz on the site through the check_answer logic in its frontend REST API. This exposes graded assessment material for paid courses the attacker never enrolled in or paid for, defeating the plugin's course-access model. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate site quiz/question IDs
Delivery
Send unauthenticated REST check_answer request
Exploit
Bypass missing enrollment authorization
Execution
Extract answer keys and question content
Impact
Harvest all paid-course quiz data

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of the LearnPress plugin (all versions ≤ 4.4.1) where quiz questions exist; the vulnerable frontend REST check_answer path in class-lp-rest-users-controller.php requires no login, no enrollment, and no user interaction (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5, High) is internally consistent with the description: remote, low-complexity, no privileges, no user interaction, with a pure confidentiality impact and no integrity or availability effect - appropriate for an information-disclosure bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with no account enumerates quiz question IDs and issues unauthenticated requests to the LearnPress frontend REST check_answer endpoint, receiving back the correct-answer markers, all answer options, explanations, and question text for questions in paid courses they never purchased. Because the vector is network-based with low complexity and no authentication or user interaction, the requests are easily scripted to harvest the full answer key of every quiz on the site; no public exploit is identified at time of analysis, but reproduction is straightforward from the disclosed endpoint.
Remediation Upstream fix available (changeset 3603546 in the LearnPress WordPress.org repository, https://plugins.trac.wordpress.org/changeset?reponame=&old=3603546%40learnpress&new=3603546%40learnpress); a specific released patched version number above 4.4.1 is not independently confirmed from the provided data, so administrators should update LearnPress to the latest available release from the WordPress plugin repository and verify the version is greater than 4.4.1, then consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/ee3bbf20-43fd-4977-b0ba-b81e7a3810d0?source=cve) for the exact fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress sites running LearnPress ≤4.4.1; block the vulnerable check_answer REST API endpoint using a Web Application Firewall (WAF) rule that denies unauthenticated POST requests to /wp-json/learnpress/v1/check-answer. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13765 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy