Skip to main content

LearnPress EUVDEUVD-2026-34952

| CVE-2026-8502 MEDIUM
Missing Authorization (CWE-862)
2026-06-06 Wordfence GHSA-ff97-5vqv-578m
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 03:53 vuln.today
CVE Published
Jun 06, 2026 - 02:28 nvd
MEDIUM 5.3

DescriptionCVE.org

The LearnPress - WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the 'return_type' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including the plaintext post_password of password-protected courses and the full post_content, post_author, and post_name of unpublished draft, private, and pending courses via the unrestricted SELECT * fallback query. Exploitation requires supplying both c_status=all (to bypass the publish-only post_status WHERE clause) and return_type=json (to prevent the safe DISTINCT(ID) AS ID field override) in a single unauthenticated request to the /wp-json/lp/v1/courses/archive-course endpoint.

AnalysisAI

Sensitive information exposure in LearnPress WordPress LMS Plugin (all versions through 4.3.6) allows unauthenticated remote attackers to extract plaintext passwords and unpublished course content via a crafted REST API request. The /wp-json/lp/v1/courses/archive-course endpoint accepts two query parameters - c_status=all and return_type=json - that together bypass a publish-only post_status filter and suppress a safe DISTINCT(ID) field override, triggering an unrestricted SELECT * fallback query against the WordPress posts table. Exposed data includes post_password in plaintext for password-protected courses, and post_content, post_author, and post_name for draft, private, and pending courses. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated, low-complexity attack vector makes it trivially scriptable at scale.

Technical ContextAI

LearnPress (CPE: cpe:2.3:a:thimpress:learnpress_-_wordpress_lms_plugin_for_create_and_sell_online_courses:*:*:*:*:*:*:*:*) is a WordPress LMS plugin by ThimPress. Its frontend REST API controller (class-lp-rest-courses-controller.php, line 68/196) exposes a course archive endpoint that passes user-controlled parameters to the Courses model (Courses.php, lines 126/200) and ultimately to the database layer (class-lp-course-db.php line 472, class-lp-db.php line 610). The root cause is CWE-862 (Missing Authorization): the post_status WHERE clause that restricts results to published posts is only enforced when c_status is absent or not 'all', and the safe DISTINCT(ID) AS ID field projection that limits column exposure is only applied when return_type is not 'json'. Combining both parameters simultaneously satisfies neither protective branch, collapsing to an unrestricted SELECT * against wp_posts with no visibility controls. WordPress natively stores post_password as plaintext in the posts table, meaning no additional decryption is required by the attacker.

RemediationAI

Upstream fix available (changeset 3545523 in the WordPress plugin SVN repository at https://plugins.trac.wordpress.org/changeset?reponame=&old=3545523%40learnpress&new=3545523%40learnpress); a released patched version is not independently confirmed from the available input data - verify the current version in the WordPress plugin directory and update to the latest available release. Until a confirmed patched version is installed, site administrators should apply the following compensating controls: use a Web Application Firewall rule to block requests to /wp-json/lp/v1/courses/archive-course containing both c_status=all and return_type=json simultaneously (note: blocking either parameter alone may still allow partial information leakage depending on plugin logic); restrict REST API access to authenticated users only via WordPress authentication filters if course browsing by guests is not required (trade-off: breaks unauthenticated course catalog browsing); and audit password-protected courses to assess whether post_password exposure represents an acceptable risk pending patching. The Wordfence threat intel page at https://www.wordfence.com/threat-intel/vulnerabilities/id/a32a6ea3-4473-4075-b660-9bba083ae0bf should be monitored for a confirmed patched version number.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-34952 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy