Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The LearnPress - WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to payment bypass through user-controlled key in all versions up to, and including, 4.3.5. This is due to improper handling of user-supplied request parameters in the REST API endpoint, which passes the unsanitized parameter array to the add_to_cart() function where array_merge() allows attacker-controlled values to overwrite hardcoded defaults. This makes it possible for authenticated attackers, with subscriber-level access and above, to enroll in any paid course entirely free of charge by supplying a quantity value of zero, which causes the order total to calculate as $0 and bypasses all payment gateway requirements.
AnalysisAI
Payment bypass in LearnPress WordPress LMS Plugin (all versions ≤ 4.3.5) allows authenticated subscribers to enroll in any paid course at zero cost by manipulating a REST API parameter. The flaw stems from improper input handling in the add_to_cart() REST API endpoint where PHP's array_merge() permits attacker-supplied values to silently overwrite hardcoded order defaults - specifically the quantity field - causing the order total to resolve to $0 and bypassing all configured payment gateway enforcement. No public exploit code has been identified at time of analysis, and CISA KEV does not list this vulnerability; SSVC and EPSS both signal low current exploitation pressure, though the low-friction exploit path warrants prompt remediation on revenue-generating LMS deployments.
Technical ContextAI
LearnPress (CPE: cpe:2.3:a:thimpress:learnpress_-_wordpress_lms_plugin_for_create_and_sell_online_courses:*:*:*:*:*:*:*:*) is a WordPress LMS plugin that exposes a REST API endpoint (class-lp-rest-courses-controller.php:L474) for course enrollment via cart operations. The root cause is CWE-639 (Authorization Through User-Controlled Key): user-supplied REST request parameters are passed unsanitized as an array directly into add_to_cart() (class-lp-cart.php:L105, L180), where PHP's native array_merge() function is used to combine defaults with user input. Because array_merge() gives precedence to later-provided keys, an attacker-controlled 'quantity' value of zero overwrites the hardcoded default quantity, causing WooCommerce-style order total calculation to produce $0 - a value that satisfies all payment gateway pre-checks as a legitimate free transaction. The flaw is an integrity violation (CVSS C:N/I:L/A:N) with no confidentiality or availability impact, but the business impact on operators selling paid course access can be significant.
RemediationAI
An upstream fix has been committed to the LearnPress plugin repository (changeset 3521636, visible at https://plugins.trac.wordpress.org/changeset?old=3521636%40learnpress&new=3521636%40learnpress); however, an exact released patched version number is not independently confirmed from the available data - operators should verify the current release in the WordPress plugin directory and update to any version released after 4.3.5. As a compensating control pending upgrade, site administrators can temporarily restrict REST API access by blocking the /wp-json/learnpress/v1/ endpoint namespace at the web server or WAF layer for non-authenticated sessions - note this may break legitimate enrollment flows and should be tested in staging first. Alternatively, disabling the LearnPress REST API cart functionality via plugin settings (if exposed) removes the attack surface entirely at the cost of REST-based enrollment workflows. Site owners should also audit recent orders for $0 transactions against paid courses to detect any prior abuse.
Sensitive information exposure in the LearnPress LMS plugin for WordPress (versions up to and including 4.4.1) lets unau
Course enrollment data exposure in LearnPress WordPress LMS plugin (all versions through 4.3.9.1) enables authenticated
Stored Cross-Site Scripting in the LearnPress WordPress LMS plugin (versions up to and including 4.4.0) allows authentic
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30218
GHSA-gc4c-8j88-m8pm