Skip to main content

LearnPress CVE-2026-48865

| EUVDEUVD-2026-33651 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-01 audit@patchstack.com GHSA-98h6-j5jr-j4p4
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 15:34 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress allows Reflected XSS.

This issue affects LearnPress: from n/a through 4.3.6.

AnalysisAI

Reflected cross-site scripting in ThimPress LearnPress WordPress plugin through version 4.3.6 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The CVSS scope-changed vector (S:C) indicates impact extends beyond the vulnerable component, typical of XSS reaching the WordPress admin context, and no public exploit has been identified at time of analysis.

Technical ContextAI

LearnPress is a widely deployed WordPress Learning Management System (LMS) plugin from ThimPress used to build online courses, quizzes, and student portals. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): user-supplied input is reflected back into a generated web page without sufficient output encoding or input sanitization, so an HTML/JavaScript payload supplied via a request parameter executes in the browser of any user who loads the crafted URL. Because LearnPress integrates into the WordPress admin UI and front-end course pages, the reflected sink likely sits in a request-handling endpoint rendered without WordPress's escaping primitives such as esc_html, esc_attr, or wp_kses.

RemediationAI

No vendor-released patched version is identified in the input data, so site operators should monitor the ThimPress LearnPress plugin page on wordpress.org and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/learnpress/vulnerability/wordpress-learnpress-plugin-4-3-6-reflected-cross-site-scripting-xss-vulnerability for a release later than 4.3.6 and upgrade as soon as it is published. Until a fix is available, compensating controls include deploying a WordPress-aware WAF (Patchstack, Wordfence, or Cloudflare managed rules) with virtual patching for this CVE which will block the reflected payload at the edge, restricting administrative access to known IP ranges so the high-impact admin victim path is harder to reach, and instructing administrators and instructors not to follow LearnPress URLs received from untrusted sources; the trade-off of WAF rules is occasional false positives on legitimate course content containing HTML, and IP allow-listing breaks remote admin from arbitrary networks. Disabling the plugin entirely eliminates the risk but takes the LMS offline.

Share

CVE-2026-48865 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy