Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress Export Import learnpress-import-export allows Reflected XSS.This issue affects LearnPress Export Import: from n/a through <= 4.0.9.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The LearnPress Export Import plugin fails to properly neutralize user input when it is embedded in a generated web page, which permits a reflected cross‑site scripting (XSS) flaw. If successfully exploited, the flaw can cause malicious JavaScript to run in the victim’s browser context.

Affected Systems

WordPress sites that use the ThimPress LearnPress Export Import plugin version 4.0.9 or earlier are affected. Site administrators should consider whether these versions are deployed when planning remediation.

Risk and Exploitability

The CVSS score of 7.1 classifies the vulnerability as high severity, yet the EPSS score of less than 1% indicates a current low likelihood of exploitation. The issue is not listed in the CISA KEV catalog. Based on the nature of the flaw, an attacker would probably need to entice a user to visit a maliciously crafted URL; such social‑engineering tactics are common, so the risk for publicly exposed sites remains reasonable.

Generated by OpenCVE AI on April 29, 2026 at 21:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LearnPress Export Import to a version higher than 4.0.9
  • Restrict the plugin’s use to trusted administrative accounts only
  • Deploy a strict Content Security Policy to block inline scripts and mitigate any residual XSS impact

Generated by OpenCVE AI on April 29, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Title WordPress LearnPress Export Import Plugin <= 4.0.9 - Cross Site Scripting (XSS) Vulnerability WordPress LearnPress Export Import plugin <= 4.0.9 - Cross Site Scripting (XSS) vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 23 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Thimpress
Thimpress learnpress Export Import
Wordpress
Wordpress wordpress
Vendors & Products Thimpress
Thimpress learnpress Export Import
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress Export Import learnpress-import-export allows Reflected XSS.This issue affects LearnPress Export Import: from n/a through <= 4.0.9.
Title WordPress LearnPress Export Import Plugin <= 4.0.9 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References

Subscriptions

Thimpress Learnpress Export Import
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:29:34.769Z

Reserved: 2025-06-11T16:07:56.073Z

Link: CVE-2025-49992

cve-icon Vulnrichment

Updated: 2025-10-23T14:11:11.612Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:43.280

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-49992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:15:16Z

Weaknesses