LearnPress Plugin Vulnerability (CVE-2026-12732)

On this page

Security Alert Summary

The LearnPress plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via the class_wrapper_form shortcode attribute in affected versions. Insufficient input sanitization and missing attribute escaping allow authenticated users with contributor-level access and above to inject scripts that will execute when an affected page is viewed.


CVE Details

  • CVE ID: CVE-2026-12732
  • Affected plugin / component: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
  • Affected versions: Versions up to and including 4.4.0
  • Published: July 1, 2026 at 08:16:21 AM UTC
  • Last modified: July 1, 2026 at 01:56:17 PM UTC
  • CVSS v3.1: 6.4, MEDIUM — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges: Privileges Required: LOW (authenticated contributor-level access and above); User Interaction: NONE
  • Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
  • Weakness: CWE-79 (Cross-site Scripting)

Technical Details

The vulnerability arises from insufficient input sanitization and output escaping in LearnPress template handling. The plugin inserts the attacker-controlled class_wrapper_form shortcode attribute into an HTML class attribute using sprintf('<form class="%s">', $class_wrapper_form) in FilterCourseTemplate::sections() without using esc_attr() to escape the value. Additionally, the FilterCourseShortcode::render() handler does not apply shortcode_atts() filtering, allowing raw shortcode attributes to flow through do_action('learn-press/filter-courses/layout', $data) into the template.

Because the unescaped attribute value is placed directly into the rendered HTML, an authenticated attacker with contributor-level access or higher can inject arbitrary web scripts that are stored in the page output and execute whenever a user opens the affected page. The described impact aligns with limited confidentiality and integrity effects rather than availability impact.


How This Could Impact Your Website

In a typical WordPress site running LearnPress, multiple roles interact: a site owner or administrator, internal staff or instructors who publish course content, and external contractors or contributors who may edit or submit content. If a contributor inserts a malicious shortcode attribute that includes script content, that script will be stored in the page and run when other users view the page. This can lead to exposure of information available to the page context and manipulation of page content visible to users.

Practical consequences include exposure of internal user data that is visible on affected pages and an increased risk of targeted phishing or social engineering against staff or users who view the injected content. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor accounts.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins.
  • Monitor site activity and logs for unusual behavior or unexpected page content.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References