The LearnPress – WordPress LMS Plugin contains a stored cross‑site scripting flaw that allows any authenticated user with Subscriber level or higher to inject arbitrary JavaScript through the get_profile_social input field. The injected script is persisted and executed whenever a user opens a page that displays the profile, providing the attacker with the ability to deface sites or steal credentials of other users. This weakness is an instance of CWE‑79, the classic injection of malicious client‑side code. The primary impact is the ability to execute scripts in the context of other authenticated site visitors, potentially compromising confidentiality, integrity, and availability of user sessions.

The vulnerability affects the LearnPress – WordPress LMS Plugin from thimpress, in all releases up to and including version 4.3.1. The plugin is used in WordPress installations that allow subscribers to edit their profiles. No other vendors or products are listed as affected.

The CVSS score of 6.4 classifies the flaw as a moderate severity vulnerability, and the EPSS score of less than 1% indicates a low probability of exploitation. The attacker must be authenticated with Subscriber or higher permissions, which reduces the scope but does not eliminate it. Because the vulnerability is not listed in CISA’s KEV catalog, no large‑scale, publicly disclosed exploitation campaigns are currently known. Nonetheless, the presence of stored XSS combined with authenticated access poses a significant risk to sites that expose profile editing to non‑administrator users.