Skip to main content

LearnPress EUVDEUVD-2026-30218

| CVE-2026-7648 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-14 Wordfence GHSA-gc4c-8j88-m8pm
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 10:47 vuln.today
CVE Published
May 14, 2026 - 03:27 nvd
MEDIUM 4.3

DescriptionCVE.org

The LearnPress - WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to payment bypass through user-controlled key in all versions up to, and including, 4.3.5. This is due to improper handling of user-supplied request parameters in the REST API endpoint, which passes the unsanitized parameter array to the add_to_cart() function where array_merge() allows attacker-controlled values to overwrite hardcoded defaults. This makes it possible for authenticated attackers, with subscriber-level access and above, to enroll in any paid course entirely free of charge by supplying a quantity value of zero, which causes the order total to calculate as $0 and bypasses all payment gateway requirements.

AnalysisAI

Payment bypass in LearnPress WordPress LMS Plugin (all versions ≤ 4.3.5) allows authenticated subscribers to enroll in any paid course at zero cost by manipulating a REST API parameter. The flaw stems from improper input handling in the add_to_cart() REST API endpoint where PHP's array_merge() permits attacker-supplied values to silently overwrite hardcoded order defaults - specifically the quantity field - causing the order total to resolve to $0 and bypassing all configured payment gateway enforcement. No public exploit code has been identified at time of analysis, and CISA KEV does not list this vulnerability; SSVC and EPSS both signal low current exploitation pressure, though the low-friction exploit path warrants prompt remediation on revenue-generating LMS deployments.

Technical ContextAI

LearnPress (CPE: cpe:2.3:a:thimpress:learnpress_-_wordpress_lms_plugin_for_create_and_sell_online_courses:*:*:*:*:*:*:*:*) is a WordPress LMS plugin that exposes a REST API endpoint (class-lp-rest-courses-controller.php:L474) for course enrollment via cart operations. The root cause is CWE-639 (Authorization Through User-Controlled Key): user-supplied REST request parameters are passed unsanitized as an array directly into add_to_cart() (class-lp-cart.php:L105, L180), where PHP's native array_merge() function is used to combine defaults with user input. Because array_merge() gives precedence to later-provided keys, an attacker-controlled 'quantity' value of zero overwrites the hardcoded default quantity, causing WooCommerce-style order total calculation to produce $0 - a value that satisfies all payment gateway pre-checks as a legitimate free transaction. The flaw is an integrity violation (CVSS C:N/I:L/A:N) with no confidentiality or availability impact, but the business impact on operators selling paid course access can be significant.

RemediationAI

An upstream fix has been committed to the LearnPress plugin repository (changeset 3521636, visible at https://plugins.trac.wordpress.org/changeset?old=3521636%40learnpress&new=3521636%40learnpress); however, an exact released patched version number is not independently confirmed from the available data - operators should verify the current release in the WordPress plugin directory and update to any version released after 4.3.5. As a compensating control pending upgrade, site administrators can temporarily restrict REST API access by blocking the /wp-json/learnpress/v1/ endpoint namespace at the web server or WAF layer for non-authenticated sessions - note this may break legitimate enrollment flows and should be tested in staging first. Alternatively, disabling the LearnPress REST API cart functionality via plugin settings (if exposed) removes the attack surface entirely at the cost of REST-based enrollment workflows. Site owners should also audit recent orders for $0 transactions against paid courses to detect any prior abuse.

Share

EUVD-2026-30218 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy