Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network REST endpoint with no user interaction (AV:N/AC:L/PR:N/UI:N); pure disclosure of quiz answer data gives C:H with no integrity or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
The LearnPress - WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.1 via the check_answer. This makes it possible for unauthenticated attackers to extract the correct-answer markers, full option lists, explanations, and question content for any quiz question on the site - including questions belonging to paid courses the attacker is not enrolled in.
AnalysisAI
Sensitive information exposure in the LearnPress LMS plugin for WordPress (versions up to and including 4.4.1) lets unauthenticated attackers pull correct-answer markers, complete option lists, explanations, and full question content for any quiz on the site through the check_answer logic in its frontend REST API. This exposes graded assessment material for paid courses the attacker never enrolled in or paid for, defeating the plugin's course-access model. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of the LearnPress plugin (all versions ≤ 4.4.1) where quiz questions exist; the vulnerable frontend REST check_answer path in class-lp-rest-users-controller.php requires no login, no enrollment, and no user interaction (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5, High) is internally consistent with the description: remote, low-complexity, no privileges, no user interaction, with a pure confidentiality impact and no integrity or availability effect - appropriate for an information-disclosure bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with no account enumerates quiz question IDs and issues unauthenticated requests to the LearnPress frontend REST check_answer endpoint, receiving back the correct-answer markers, all answer options, explanations, and question text for questions in paid courses they never purchased. Because the vector is network-based with low complexity and no authentication or user interaction, the requests are easily scripted to harvest the full answer key of every quiz on the site; no public exploit is identified at time of analysis, but reproduction is straightforward from the disclosed endpoint. |
| Remediation | Upstream fix available (changeset 3603546 in the LearnPress WordPress.org repository, https://plugins.trac.wordpress.org/changeset?reponame=&old=3603546%40learnpress&new=3603546%40learnpress); a specific released patched version number above 4.4.1 is not independently confirmed from the provided data, so administrators should update LearnPress to the latest available release from the WordPress plugin repository and verify the version is greater than 4.4.1, then consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/ee3bbf20-43fd-4977-b0ba-b81e7a3810d0?source=cve) for the exact fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress sites running LearnPress ≤4.4.1; block the vulnerable check_answer REST API endpoint using a Web Application Firewall (WAF) rule that denies unauthenticated POST requests to /wp-json/learnpress/v1/check-answer. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Course enrollment data exposure in LearnPress WordPress LMS plugin (all versions through 4.3.9.1) enables authenticated
Stored Cross-Site Scripting in the LearnPress WordPress LMS plugin (versions up to and including 4.4.0) allows authentic
Payment bypass in LearnPress WordPress LMS Plugin (all versions ≤ 4.3.5) allows authenticated subscribers to enroll in a
Same weakness CWE-862 – Missing Authorization
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45137
GHSA-c7j6-mr7m-857j