Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The LearnPress - WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the 'return_type' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including the plaintext post_password of password-protected courses and the full post_content, post_author, and post_name of unpublished draft, private, and pending courses via the unrestricted SELECT * fallback query. Exploitation requires supplying both c_status=all (to bypass the publish-only post_status WHERE clause) and return_type=json (to prevent the safe DISTINCT(ID) AS ID field override) in a single unauthenticated request to the /wp-json/lp/v1/courses/archive-course endpoint.
AnalysisAI
Sensitive information exposure in LearnPress WordPress LMS Plugin (all versions through 4.3.6) allows unauthenticated remote attackers to extract plaintext passwords and unpublished course content via a crafted REST API request. The /wp-json/lp/v1/courses/archive-course endpoint accepts two query parameters - c_status=all and return_type=json - that together bypass a publish-only post_status filter and suppress a safe DISTINCT(ID) field override, triggering an unrestricted SELECT * fallback query against the WordPress posts table. Exposed data includes post_password in plaintext for password-protected courses, and post_content, post_author, and post_name for draft, private, and pending courses. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated, low-complexity attack vector makes it trivially scriptable at scale.
Technical ContextAI
LearnPress (CPE: cpe:2.3:a:thimpress:learnpress_-_wordpress_lms_plugin_for_create_and_sell_online_courses:*:*:*:*:*:*:*:*) is a WordPress LMS plugin by ThimPress. Its frontend REST API controller (class-lp-rest-courses-controller.php, line 68/196) exposes a course archive endpoint that passes user-controlled parameters to the Courses model (Courses.php, lines 126/200) and ultimately to the database layer (class-lp-course-db.php line 472, class-lp-db.php line 610). The root cause is CWE-862 (Missing Authorization): the post_status WHERE clause that restricts results to published posts is only enforced when c_status is absent or not 'all', and the safe DISTINCT(ID) AS ID field projection that limits column exposure is only applied when return_type is not 'json'. Combining both parameters simultaneously satisfies neither protective branch, collapsing to an unrestricted SELECT * against wp_posts with no visibility controls. WordPress natively stores post_password as plaintext in the posts table, meaning no additional decryption is required by the attacker.
RemediationAI
Upstream fix available (changeset 3545523 in the WordPress plugin SVN repository at https://plugins.trac.wordpress.org/changeset?reponame=&old=3545523%40learnpress&new=3545523%40learnpress); a released patched version is not independently confirmed from the available input data - verify the current version in the WordPress plugin directory and update to the latest available release. Until a confirmed patched version is installed, site administrators should apply the following compensating controls: use a Web Application Firewall rule to block requests to /wp-json/lp/v1/courses/archive-course containing both c_status=all and return_type=json simultaneously (note: blocking either parameter alone may still allow partial information leakage depending on plugin logic); restrict REST API access to authenticated users only via WordPress authentication filters if course browsing by guests is not required (trade-off: breaks unauthenticated course catalog browsing); and audit password-protected courses to assess whether post_password exposure represents an acceptable risk pending patching. The Wordfence threat intel page at https://www.wordfence.com/threat-intel/vulnerabilities/id/a32a6ea3-4473-4075-b660-9bba083ae0bf should be monitored for a confirmed patched version number.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34952
GHSA-ff97-5vqv-578m