Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress allows Reflected XSS.
This issue affects LearnPress: from n/a through 4.3.6.
AnalysisAI
Reflected cross-site scripting in ThimPress LearnPress WordPress plugin through version 4.3.6 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The CVSS scope-changed vector (S:C) indicates impact extends beyond the vulnerable component, typical of XSS reaching the WordPress admin context, and no public exploit has been identified at time of analysis.
Technical ContextAI
LearnPress is a widely deployed WordPress Learning Management System (LMS) plugin from ThimPress used to build online courses, quizzes, and student portals. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): user-supplied input is reflected back into a generated web page without sufficient output encoding or input sanitization, so an HTML/JavaScript payload supplied via a request parameter executes in the browser of any user who loads the crafted URL. Because LearnPress integrates into the WordPress admin UI and front-end course pages, the reflected sink likely sits in a request-handling endpoint rendered without WordPress's escaping primitives such as esc_html, esc_attr, or wp_kses.
RemediationAI
No vendor-released patched version is identified in the input data, so site operators should monitor the ThimPress LearnPress plugin page on wordpress.org and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/learnpress/vulnerability/wordpress-learnpress-plugin-4-3-6-reflected-cross-site-scripting-xss-vulnerability for a release later than 4.3.6 and upgrade as soon as it is published. Until a fix is available, compensating controls include deploying a WordPress-aware WAF (Patchstack, Wordfence, or Cloudflare managed rules) with virtual patching for this CVE which will block the reflected payload at the edge, restricting administrative access to known IP ranges so the high-impact admin victim path is harder to reach, and instructing administrators and instructors not to follow LearnPress URLs received from untrusted sources; the trade-off of WAF rules is occasional false positives on legitimate course content containing HTML, and IP allow-listing breaks remote admin from arbitrary networks. Disabling the plugin entirely eliminates the risk but takes the LMS offline.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33651
GHSA-98h6-j5jr-j4p4