Description
The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to payment bypass through user-controlled key in all versions up to, and including, 4.3.5. This is due to improper handling of user-supplied request parameters in the REST API endpoint, which passes the unsanitized parameter array to the add_to_cart() function where array_merge() allows attacker-controlled values to overwrite hardcoded defaults. This makes it possible for authenticated attackers, with subscriber-level access and above, to enroll in any paid course entirely free of charge by supplying a quantity value of zero, which causes the order total to calculate as $0 and bypasses all payment gateway requirements.
Published: 2026-05-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The LearnPress WordPress LMS Plugin contains a flaw that allows authenticated users with subscriber-level access or higher to enroll in any paid course without paying. By sending a REST API request that includes a quantity value of zero, the plugin’s add_to_cart() function accepts the unsanitized parameter array, overrides the default cost, and calculates the order total as $0. This bypasses all configured payment gateways and makes the paid course effectively free, potentially resulting in revenue loss and abuse of the platform’s enrollment system.

Affected Systems

This vulnerability affects all installations of the ThimPress LearnPress WordPress LMS Plugin up to and including version 4.3.5. The flaw lives in the cart handling code and the REST API controller responsible for course enrollment.

Risk and Exploitability

With a CVSS score of 4.3 the flaw is considered moderate in severity, and it is not currently listed in the CISA KEV catalog. The exploit requires the attacker to be an authenticated user with at least subscriber-level privileges, which is a relatively common role on WordPress sites, making the attack vector likely to be an internal credential compromise or social‑engineering campaign. Because the vulnerability does not grant arbitrary code execution or full system compromise, the impact is limited to monetary loss through unpaid enrollments, but it still poses a tangible business risk.

Generated by OpenCVE AI on May 14, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LearnPress to the latest available version (any release newer than 4.3.5 where the patch is applied).
  • If an upgrade is not immediately possible, restrict access to the REST API course‑enrollment endpoint so that only administrators can use it, or remove the ‘quantity’ query parameter for all but admin users.
  • Enforce server‑side validation that rejects zero quantities for paid courses and requires a minimum quantity of one; whitelist expected parameters before calling add_to_cart().
  • As a temporary measure, add a Web Application Firewall rule to block requests that attempt to enroll in paid courses with a quantity of zero.

Generated by OpenCVE AI on May 14, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Thimpress
Thimpress learnpress – Wordpress Lms Plugin For Create And Sell Online Courses
Wordpress
Wordpress wordpress
Vendors & Products Thimpress
Thimpress learnpress – Wordpress Lms Plugin For Create And Sell Online Courses
Wordpress
Wordpress wordpress

Thu, 14 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to payment bypass through user-controlled key in all versions up to, and including, 4.3.5. This is due to improper handling of user-supplied request parameters in the REST API endpoint, which passes the unsanitized parameter array to the add_to_cart() function where array_merge() allows attacker-controlled values to overwrite hardcoded defaults. This makes it possible for authenticated attackers, with subscriber-level access and above, to enroll in any paid course entirely free of charge by supplying a quantity value of zero, which causes the order total to calculate as $0 and bypasses all payment gateway requirements.
Title LearnPress – WordPress LMS Plugin for Create and Sell Online Courses <= 4.3.5 - Authenticated (Subscriber+) Payment Bypass to Free Course Enrollment via 'quantity' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Thimpress Learnpress – Wordpress Lms Plugin For Create And Sell Online Courses
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T10:47:41.640Z

Reserved: 2026-05-01T17:23:20.667Z

Link: CVE-2026-7648

cve-icon Vulnrichment

Updated: 2026-05-14T10:47:36.419Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T05:16:46.080

Modified: 2026-05-14T14:29:01.600

Link: CVE-2026-7648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T06:45:05Z

Weaknesses