Skip to main content

LearnPress EUVDEUVD-2026-40906

| CVE-2026-11988 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-01 Wordfence GHSA-2qhv-qfjf-5jf4
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

REST API is network-accessible with low complexity; subscriber account required (PR:L); confidentiality-only impact on enrollment metadata with no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:34 vuln.today
CVE Published
Jul 01, 2026 - 04:32 nvd
MEDIUM 6.5

DescriptionCVE.org

The LearnPress - WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the 'userId' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the course enrollment progress and completion data belonging to any instructor or administrator account on the site. This IDOR does not apply when the target user is a regular subscriber, as the guard correctly blocks cross-subscriber access; exploitation is limited to cases where the victim user holds the LP_TEACHER_ROLE or administrator role.

AnalysisAI

Course enrollment data exposure in LearnPress WordPress LMS plugin (all versions through 4.3.9.1) enables authenticated subscribers to read the course progress and completion records of any instructor or administrator by supplying an arbitrary value to the userId REST API parameter. The lazy load controller accepts the caller-supplied key without verifying ownership, bypassing authorization for LP_TEACHER_ROLE and administrator accounts while a partial guard correctly blocks subscriber-to-subscriber cross-access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain subscriber-level WordPress account
Delivery
Enumerate instructor and administrator user IDs via WordPress REST API
Exploit
Craft authenticated REST API request with target userId parameter
Execution
Submit request to LearnPress lazy load controller endpoint
Persist
Server returns enrollment data without ownership validation
Impact
Exfiltrate instructor or admin course completion records

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) a valid WordPress account at subscriber level or above on the target site - the CVSS PR:L metric confirms authentication is required; (2) the target user account must hold either the LP_TEACHER_ROLE (instructor) or the WordPress administrator role, as the existing guard correctly blocks cross-subscriber access and regular subscriber accounts cannot be targeted; (3) LearnPress version 4.3.9.1 or earlier must be installed and active; (4) the attacker must know or enumerate the integer user ID of a qualifying instructor or administrator, which is trivial given WordPress's sequential ID scheme and the public `/wp-json/wp/v2/users` endpoint available on many sites. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 score (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately characterizes the attack profile: the endpoint is network-accessible, exploitation complexity is low, a subscriber account is sufficient, and the impact is strictly confidential - no integrity or availability loss occurs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a WordPress subscriber account - obtained via self-registration or a compromised credential - sends an authenticated REST API request to the LearnPress lazy load controller, setting `userId` to the sequential integer ID of a known instructor or site administrator. Because no ownership check is performed for elevated-role target accounts, the server returns the targeted instructor's full course enrollment progress and completion data. …
Remediation Upgrade LearnPress to version 4.4.0 or later: a WordPress SVN changeset from 4.3.9.1 to 4.4.0 (https://plugins.trac.wordpress.org/changeset?old_path=%2Flearnpress/tags/4.3.9.1&new_path=%2Flearnpress/tags/4.4.0) indicates that 4.4.0 contains the authorization fix; however, the release of this version as a distributed WordPress.org update has not been independently confirmed at time of analysis - verify availability via the WordPress plugin dashboard before applying. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy