Description
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized email notification triggering due to missing capability checks on all 10 functions in the SendEmailAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check before dispatching to handler functions. The wp_rest nonce is embedded in the frontend JavaScript for all authenticated users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger arbitrary email notifications to admins, instructors, and users, enabling email flooding, social engineering, and impersonation of admin decisions regarding instructor requests.
Published: 2026-03-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Email Notification
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the SendEmailAjax class of the LearnPress WordPress LMS Plugin. A missing capability check allows any authenticated user with Subscriber-level or higher privileges to bypass authorization controls and trigger email notifications to admins, instructors, or any site user. The result is email flooding, the potential for social engineering, and impersonation of administrative decisions regarding instructor requests. This weakness is classified as a Missing Authorization issue (CWE-862).

Affected Systems

The affected product is the LearnPress plugin from ThimPress, a WordPress LMS plugin used to create and sell online courses. All plugin versions up to and including 4.3.2.8 are vulnerable; later releases (4.3.3 and above) contain the fix.

Risk and Exploitability

The CVSS score of 4.3 reflects a medium impact. Exploitation is unlikely to be widespread (EPSS <1%) and the vulnerability is not listed in the CISA KEV catalog, indicating no known public exploitation yet. Attackers need authenticated access via a Subscriber-level role or higher and can exploit the exposed AJAX endpoint by sending crafted requests containing a valid wp_rest nonce that is embedded in the front‑end JavaScript. Since the plugin executes the action without further authorization, the exposure can be leveraged for mass email delivery or targeted phishing campaigns.

Generated by OpenCVE AI on March 18, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest LearnPress plugin version (4.3.3 or later).
  • If an update is not immediately possible, block or restrict access to the /wp-json/.../send_email endpoint using a web‑application firewall or server‑level rules.
  • Remove or downgrade Subscriber‑level privileges for users who do not require them, ensuring only trusted roles can access the plugin’s AJAX functionality.

Generated by OpenCVE AI on March 18, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Thimpress
Thimpress learnpress – Wordpress Lms Plugin For Create And Sell Online Courses
Wordpress
Wordpress wordpress
Vendors & Products Thimpress
Thimpress learnpress – Wordpress Lms Plugin For Create And Sell Online Courses
Wordpress
Wordpress wordpress

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized email notification triggering due to missing capability checks on all 10 functions in the SendEmailAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check before dispatching to handler functions. The wp_rest nonce is embedded in the frontend JavaScript for all authenticated users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger arbitrary email notifications to admins, instructors, and users, enabling email flooding, social engineering, and impersonation of admin decisions regarding instructor requests.
Title LearnPress <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Notification Triggering
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Thimpress Learnpress – Wordpress Lms Plugin For Create And Sell Online Courses
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-12T14:47:10.371Z

Reserved: 2026-02-25T20:01:19.815Z

Link: CVE-2026-3226

cve-icon Vulnrichment

Updated: 2026-03-12T14:47:05.498Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T03:15:57.740

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-3226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:10Z

Weaknesses