9.1

CVE-2026-4365

EPSS 0.05%
Veröffentlicht 14.04.2026 01:24:59
Zuletzt bearbeitet 14.04.2026 02:16:05
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function in all versions up to, and including, 4.3.2.8. The plugin exposes a `wp_rest` nonce in public frontend HTML (`lpData`) to unauthenticated visitors, and uses that nonce as the only security gate for the `lp-load-ajax` AJAX dispatcher. The `delete_question_answer` action has no capability or ownership check. This makes it possible for unauthenticated attackers to delete any quiz answer option by sending a crafted POST request with a publicly available nonce.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerthimpress

≫

Produkt LearnPress – WordPress LMS Plugin for Create and Sell Online Courses

Default Statusunaffected

Version <= 4.3.2.8

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.167

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.wordfence.com/threat-intel/vulnerabilities/id/021bd566-1663-46ba-a616-ab554b691cbb?source=cve

https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/Ajax/EditQuestionAjax.php#L285

https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/Ajax/AbstractAjax.php#L33

https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/class-lp-assets.php#L177

https://nvd.nist.gov/vuln/detail/CVE-2026-4365

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-4365

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-4365

EUVD