Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress allows Reflected XSS.

This issue affects LearnPress: from n/a through 4.3.6.
Published: 2026-06-01
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation in the ThimPress LearnPress plugin. It allows an attacker to inject malicious script code that is reflected back to the user’s browser when the page is rendered. A reflected XSS flaw can enable session hijacking, credential theft, defacement, or arbitrary script execution in the context of the logged‑in user, posing a moderate to high confidentiality and integrity risk.

Affected Systems

WordPress sites running the ThimPress LearnPress plugin in any version from the earliest released version up through 4.3.6 are affected. The issue does not impact versions 4.3.7 and newer.

Risk and Exploitability

The CVSS score of 7.1 indicates medium severity, and no EPSS score is available, suggesting the exploit probability is unknown. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to deliver a crafted request that includes malicious input, which is then reflected by the plugin. Victim interaction is typically needed for the browser to execute the injected script, making the attack vector web‑based and potentially user‑arbitrary. The absence of a KEV listing does not guarantee low risk, as web‑based XSS flaws are commonly exploited in the wild.

Generated by OpenCVE AI on June 1, 2026 at 16:35 UTC.

Remediation

Vendor Solution

Update the WordPress LearnPress Plugin to the latest available version (at least 4.3.7).

OpenCVE Recommended Actions

  • Update the LearnPress plugin to version 4.3.7 or later as the vendor has released a patch that removes the reflected XSS flaw.
  • If an update cannot be applied immediately, mitigate by adding a strong Content Security Policy that restricts inline scripts and limits the set of trusted sources for scripts to prevent execution of reflected payloads.
  • Continuously monitor end‑user sessions for anomalous behavior such as unusual navigation patterns or injected script activity, and audit any external data sources used by LearnPress for proper validation or sanitization.

Generated by OpenCVE AI on June 1, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Thimpress
Thimpress learnpress
Wordpress
Wordpress wordpress
Vendors & Products Thimpress
Thimpress learnpress
Wordpress
Wordpress wordpress

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress allows Reflected XSS. This issue affects LearnPress: from n/a through 4.3.6.
Title WordPress LearnPress plugin <= 4.3.6 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Thimpress Learnpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-01T16:19:03.535Z

Reserved: 2026-05-25T22:10:00.864Z

Link: CVE-2026-48865

cve-icon Vulnrichment

Updated: 2026-06-01T16:18:58.987Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T15:16:38.150

Modified: 2026-06-01T16:41:55.090

Link: CVE-2026-48865

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T17:45:25Z

Weaknesses