Learnpress Wordpress Lms Plugin For Create And Sell Online Courses
Monthly
Sensitive information exposure in the LearnPress LMS plugin for WordPress (versions up to and including 4.4.1) lets unauthenticated attackers pull correct-answer markers, complete option lists, explanations, and full question content for any quiz on the site through the check_answer logic in its frontend REST API. This exposes graded assessment material for paid courses the attacker never enrolled in or paid for, defeating the plugin's course-access model. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the network-facing, no-authentication nature makes it trivially reproducible against affected sites.
Stored Cross-Site Scripting in the LearnPress WordPress LMS plugin (versions up to and including 4.4.0) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the unescaped 'class_wrapper_form' shortcode attribute. The payload persists in the database and executes in the browser of any visitor - including administrators - who loads the affected page, enabling session hijacking, credential harvesting, or privilege escalation through forged admin actions. No CISA KEV listing or public exploit code has been identified at time of analysis, but the Wordfence advisory includes precise code-level references that substantially lower the bar for independent reproduction.
Course enrollment data exposure in LearnPress WordPress LMS plugin (all versions through 4.3.9.1) enables authenticated subscribers to read the course progress and completion records of any instructor or administrator by supplying an arbitrary value to the `userId` REST API parameter. The lazy load controller accepts the caller-supplied key without verifying ownership, bypassing authorization for LP_TEACHER_ROLE and administrator accounts while a partial guard correctly blocks subscriber-to-subscriber cross-access. No public exploit code or active exploitation has been identified at time of analysis, but exploitation requires only a subscriber-level account, making the real-world barrier low on sites with open user registration.
Payment bypass in LearnPress WordPress LMS Plugin (all versions ≤ 4.3.5) allows authenticated subscribers to enroll in any paid course at zero cost by manipulating a REST API parameter. The flaw stems from improper input handling in the add_to_cart() REST API endpoint where PHP's array_merge() permits attacker-supplied values to silently overwrite hardcoded order defaults - specifically the quantity field - causing the order total to resolve to $0 and bypassing all configured payment gateway enforcement. No public exploit code has been identified at time of analysis, and CISA KEV does not list this vulnerability; SSVC and EPSS both signal low current exploitation pressure, though the low-friction exploit path warrants prompt remediation on revenue-generating LMS deployments.
Sensitive information exposure in the LearnPress LMS plugin for WordPress (versions up to and including 4.4.1) lets unauthenticated attackers pull correct-answer markers, complete option lists, explanations, and full question content for any quiz on the site through the check_answer logic in its frontend REST API. This exposes graded assessment material for paid courses the attacker never enrolled in or paid for, defeating the plugin's course-access model. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the network-facing, no-authentication nature makes it trivially reproducible against affected sites.
Stored Cross-Site Scripting in the LearnPress WordPress LMS plugin (versions up to and including 4.4.0) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the unescaped 'class_wrapper_form' shortcode attribute. The payload persists in the database and executes in the browser of any visitor - including administrators - who loads the affected page, enabling session hijacking, credential harvesting, or privilege escalation through forged admin actions. No CISA KEV listing or public exploit code has been identified at time of analysis, but the Wordfence advisory includes precise code-level references that substantially lower the bar for independent reproduction.
Course enrollment data exposure in LearnPress WordPress LMS plugin (all versions through 4.3.9.1) enables authenticated subscribers to read the course progress and completion records of any instructor or administrator by supplying an arbitrary value to the `userId` REST API parameter. The lazy load controller accepts the caller-supplied key without verifying ownership, bypassing authorization for LP_TEACHER_ROLE and administrator accounts while a partial guard correctly blocks subscriber-to-subscriber cross-access. No public exploit code or active exploitation has been identified at time of analysis, but exploitation requires only a subscriber-level account, making the real-world barrier low on sites with open user registration.
Payment bypass in LearnPress WordPress LMS Plugin (all versions ≤ 4.3.5) allows authenticated subscribers to enroll in any paid course at zero cost by manipulating a REST API parameter. The flaw stems from improper input handling in the add_to_cart() REST API endpoint where PHP's array_merge() permits attacker-supplied values to silently overwrite hardcoded order defaults - specifically the quantity field - causing the order total to resolve to $0 and bypassing all configured payment gateway enforcement. No public exploit code has been identified at time of analysis, and CISA KEV does not list this vulnerability; SSVC and EPSS both signal low current exploitation pressure, though the low-friction exploit path warrants prompt remediation on revenue-generating LMS deployments.