Description
The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the 'return_type' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including the plaintext post_password of password-protected courses and the full post_content, post_author, and post_name of unpublished draft, private, and pending courses via the unrestricted SELECT * fallback query. Exploitation requires supplying both c_status=all (to bypass the publish-only post_status WHERE clause) and return_type=json (to prevent the safe DISTINCT(ID) AS ID field override) in a single unauthenticated request to the /wp-json/lp/v1/courses/archive-course endpoint.
Published: 2026-06-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The LearnPress plugin exposes sensitive data through the public JSON API endpoint. By supplying the query parameters c_status=all and return_type=json to /wp-json/lp/v1/courses/archive-course, an unauthenticated user can trigger a SELECT * query that returns the plain‑text password of password‑protected courses as well as the full post content, author, and slug of courses that are in draft, private, or pending state. This constitutes a direct disclosure of confidential course information and credentials.

Affected Systems

The vulnerability affects the thimpress LearnPress WordPress LMS plugin for all releases up to and including version 4.3.6. WordPress sites that actively use these plugin versions are at risk; newer releases beyond 4.3.6 are presumed patched.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the exploit is feasible over the network through a simple HTTP request to the REST endpoint. No authentication is required, making the attack surface wide. Because the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, the likelihood of widespread exploitation is uncertain, but the lack of gating mechanisms allows any internet‑exposed WordPress installation to expose sensitive data.

Generated by OpenCVE AI on June 6, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LearnPress to a version newer than 4.3.6 or uninstall the plugin if it is no longer needed.
  • Configure the WordPress REST API or server firewall to require authentication for the /wp-json/lp/v1/courses/archive-course endpoint, or block it entirely for unauthenticated users.
  • Review and audit the plugin’s configuration to ensure that no other endpoints expose similar data, and monitor access logs for suspicious requests to the LearnPress API.

Generated by OpenCVE AI on June 6, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/Databases/class-lp-course-db.php#L472 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/Databases/class-lp-db.php#L610 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/Models/Courses.php#L126 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/Models/Courses.php#L200 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php#L196 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php#L68 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/Databases/class-lp-course-db.php#L472 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/Databases/class-lp-db.php#L610 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/Models/Courses.php#L126 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/Models/Courses.php#L200 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php#L196 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php#L68 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3545523%40learnpress&new=3545523%40learnpress&sfp_email=&sfph_mail= cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/a32a6ea3-4473-4075-b660-9bba083ae0bf?source=cve cve-icon cve-icon
History

Sat, 06 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Thimpress
Thimpress learnpress – Wordpress Lms Plugin For Create And Sell Online Courses
Wordpress
Wordpress wordpress
Vendors & Products Thimpress
Thimpress learnpress – Wordpress Lms Plugin For Create And Sell Online Courses
Wordpress
Wordpress wordpress

Sat, 06 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the 'return_type' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including the plaintext post_password of password-protected courses and the full post_content, post_author, and post_name of unpublished draft, private, and pending courses via the unrestricted SELECT * fallback query. Exploitation requires supplying both c_status=all (to bypass the publish-only post_status WHERE clause) and return_type=json (to prevent the safe DISTINCT(ID) AS ID field override) in a single unauthenticated request to the /wp-json/lp/v1/courses/archive-course endpoint.
Title LearnPress <= 4.3.6 - Unauthenticated Sensitive Information Exposure via 'c_status' and 'return_type' Parameters
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Thimpress Learnpress – Wordpress Lms Plugin For Create And Sell Online Courses
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:47:26.858Z

Reserved: 2026-05-13T20:58:03.070Z

Link: CVE-2026-8502

cve-icon Vulnrichment

Updated: 2026-06-06T11:47:21.759Z

cve-icon NVD

Status : Received

Published: 2026-06-06T04:17:41.357

Modified: 2026-06-06T04:17:41.357

Link: CVE-2026-8502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T04:30:12Z

Weaknesses