Impact
LearnPress versions up to 4.4.0 allow stored Cross‑Site Scripting through an unchecked 'class_wrapper_form' shortcode attribute. The plugin inserts the raw attribute value directly into the class attribute of a form element without proper escaping, creating an injection point for arbitrary JavaScript. An attacker with at least contributor access can save a malicious script that will run whenever a visitor loads an affected page, enabling cookie theft, session hijacking, or defacement.
Affected Systems
The affected product is the ThimPress LearnPress WordPress LMS plugin. All releases dated 4.4.0 or earlier are vulnerable, including the Shortcodes and TemplateHooks modules that render courses where the 'class_wrapper_form' attribute is processed.
Risk and Exploitability
The CVSS score of 6.4 indicates moderate severity from the attacker’s view. Exploitation requires authenticated contributor‑level access, which is common in many content‑management scenarios but is less privileged than administrator access. No public exploit has been reported and the vulnerability is not listed in CISA’s KEV catalog, suggesting a low current exploitation probability. Nonetheless, because it is a stored XSS that affects all page views, it remains a meaningful threat if an active contributor can inject malicious code.
OpenCVE Enrichment