Description
The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_wrapper_form' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections() method at line 98, where the attacker-controlled attribute is inserted into an HTML class attribute via sprintf('<form class="%s">', $class_wrapper_form) without esc_attr() escaping. The FilterCourseShortcode::render() handler does not apply shortcode_atts() filtering, so raw user attributes flow directly through do_action('learn-press/filter-courses/layout', $data) into the template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-07-01
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LearnPress versions up to 4.4.0 allow stored Cross‑Site Scripting through an unchecked 'class_wrapper_form' shortcode attribute. The plugin inserts the raw attribute value directly into the class attribute of a form element without proper escaping, creating an injection point for arbitrary JavaScript. An attacker with at least contributor access can save a malicious script that will run whenever a visitor loads an affected page, enabling cookie theft, session hijacking, or defacement.

Affected Systems

The affected product is the ThimPress LearnPress WordPress LMS plugin. All releases dated 4.4.0 or earlier are vulnerable, including the Shortcodes and TemplateHooks modules that render courses where the 'class_wrapper_form' attribute is processed.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity from the attacker’s view. Exploitation requires authenticated contributor‑level access, which is common in many content‑management scenarios but is less privileged than administrator access. No public exploit has been reported and the vulnerability is not listed in CISA’s KEV catalog, suggesting a low current exploitation probability. Nonetheless, because it is a stored XSS that affects all page views, it remains a meaningful threat if an active contributor can inject malicious code.

Generated by OpenCVE AI on July 1, 2026 at 15:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a LearnPress release newer than 4.4.0 that implements proper escaping for the class_wrapper_form attribute.
  • If an upgrade is not immediately possible, remove the class_wrapper_form attribute from any existing shortcode usage or manually wrap its value with esc_attr in the plugin files to enforce output escaping.
  • Restrict contributor‑level roles from modifying shortcodes or pages unless such changes are required, and monitor shortcodes for unintended content.

Generated by OpenCVE AI on July 1, 2026 at 15:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Thimpress
Thimpress learnpress – Wordpress Lms Plugin For Create And Sell Online Courses
Wordpress
Wordpress wordpress
Vendors & Products Thimpress
Thimpress learnpress – Wordpress Lms Plugin For Create And Sell Online Courses
Wordpress
Wordpress wordpress

Wed, 01 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
Description The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_wrapper_form' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections() method at line 98, where the attacker-controlled attribute is inserted into an HTML class attribute via sprintf('<form class="%s">', $class_wrapper_form) without esc_attr() escaping. The FilterCourseShortcode::render() handler does not apply shortcode_atts() filtering, so raw user attributes flow directly through do_action('learn-press/filter-courses/layout', $data) into the template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title LearnPress <= 4.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_wrapper_form' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Thimpress Learnpress – Wordpress Lms Plugin For Create And Sell Online Courses
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T10:32:04.704Z

Reserved: 2026-06-19T16:03:58.190Z

Link: CVE-2026-12732

cve-icon Vulnrichment

Updated: 2026-07-01T10:30:40.904Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T15:15:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')