Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress – Course Review learnpress-course-review allows Stored XSS.This issue affects LearnPress – Course Review: from n/a through <= 4.1.9.
Published: 2026-01-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-site Scripting (client‑side code injection)
Action: Patch
AI Analysis

Impact

Improper neutralization of input during web page generation in ThimPress LearnPress – Course Review plugin allows stored cross‑site scripting. Review text is stored without sanitization, so an attacker can submit a review containing malicious JavaScript that will execute in the browsers of any visitor who views the review. This client‑side code injection can lead to credential theft, session hijacking, or defacement. The vulnerability is classified as CWE‑79 and affects all releases through version 4.1.9.

Affected Systems

The vulnerability affects the ThimPress LearnPress – Course Review WordPress plugin for all releases up through version 4.1.9. No more recent versions are covered by this description.

Risk and Exploitability

The CVSS base score of 6.5 indicates a medium severity issue, while the EPSS of less than 1% points to a low likelihood of exploitation at the time of analysis. The flaw resides in the browser context; an attacker only needs to submit a review containing malicious script, which will then run whenever other users view that review. The vulnerability is not currently listed in CISA’s KEV catalog and there is no advanced attack surface beyond the browser. Overall, the risk is moderate but the exploitation probability is relatively low.

Generated by OpenCVE AI on April 29, 2026 at 00:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the LearnPress – Course Review plugin to the latest available version (greater than 4.1.9) or a patched release that properly sanitizes review input.
  • If an upgrade is not immediately possible, disable or remove the review feature from the site or restrict review submission to trusted users only.
  • Apply additional sanitization by filtering or escaping review content during output; for example, ensure the plugin uses WordPress’s wp_kses or sanitize_comment_text() functions to neutralize potentially dangerous input.

Generated by OpenCVE AI on April 29, 2026 at 00:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress &#8211; Course Review learnpress-course-review allows Stored XSS.This issue affects LearnPress &#8211; Course Review: from n/a through <= 4.1.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress – Course Review learnpress-course-review allows Stored XSS.This issue affects LearnPress – Course Review: from n/a through <= 4.1.9.

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Thimpress
Thimpress learnpress
Wordpress
Wordpress wordpress
Vendors & Products Thimpress
Thimpress learnpress
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress &#8211; Course Review learnpress-course-review allows Stored XSS.This issue affects LearnPress &#8211; Course Review: from n/a through <= 4.1.9.
Title WordPress LearnPress – Course Review plugin <= 4.1.9 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Thimpress Learnpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:48.025Z

Reserved: 2026-01-22T14:42:24.567Z

Link: CVE-2026-24361

cve-icon Vulnrichment

Updated: 2026-01-22T20:34:47.018Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:39.820

Modified: 2026-04-28T19:36:46.270

Link: CVE-2026-24361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:00:11Z

Weaknesses