Description
The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the 'userId' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the course enrollment progress and completion data belonging to any instructor or administrator account on the site. This IDOR does not apply when the target user is a regular subscriber, as the guard correctly blocks cross-subscriber access; exploitation is limited to cases where the victim user holds the LP_TEACHER_ROLE or administrator role.
Published: 2026-07-01
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The LearnPress WordPress LMS plugin suffers from an Insecure Direct Object Reference that allows authenticated users with Subscriber or higher privileges to view the course enrollment progress and completion data of any teacher or administrator. This disclosure bypasses the intended restriction on cross‑subscriber data access and exposes sensitive instructor activity information. The vulnerability is classified as CWE‑639, indicating missing authorization checks on a user‑controlled key.

Affected Systems

All installations of the LearnPress LMS plugin version 4.3.9.1 and earlier are affected. The plugin is distributed by thimpress and is commonly used in WordPress sites that provide online courses.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk of disclosure. EPSS is not available, so there is no quantified probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog. Attackers need to be authenticated and able to send requests to the rest‑API endpoint that accepts a "userId" parameter; no public exploit has been reported to date, but the impact on data confidentiality is significant for sites that handle instructor or admin information.

Generated by OpenCVE AI on July 1, 2026 at 08:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LearnPress plugin to version 4.4.0 or later, which removes the IDOR flaw.
  • If an upgrade is not immediately feasible, disable or remove the REST‑API endpoint that exposes the "userId" parameter, or add a server‑side filter that rejects any request where the target user role is not the requestor’s role.
  • Restrict API access so that only users with the LP_TEACHER_ROLE or administrator role can retrieve their own enrollment data, and enforce role validation in the controller that processes the request.

Generated by OpenCVE AI on July 1, 2026 at 08:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 05:00:00 +0000

Type Values Removed Values Added
Description The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the 'userId' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the course enrollment progress and completion data belonging to any instructor or administrator account on the site. This IDOR does not apply when the target user is a regular subscriber, as the guard correctly blocks cross-subscriber access; exploitation is limited to cases where the victim user holds the LP_TEACHER_ROLE or administrator role.
Title LearnPress <= 4.3.9.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Disclosure via 'userId' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T04:32:27.231Z

Reserved: 2026-06-11T14:28:25.105Z

Link: CVE-2026-11988

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T08:45:15Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key