LearnPress Plugin Vulnerability (CVE-2026-4365)

Security Alert Summary

The LearnPress plugin for WordPress contains an authorization bypass that allows unauthenticated deletion of quiz answer options. A missing capability and ownership check on the delete_question_answer() action, combined with a wp_rest nonce exposed in public frontend HTML (lpData) and used as the sole security gate for the lp-load-ajax dispatcher, enables an unauthenticated attacker to send a crafted POST request and remove quiz answer options.

CVE Details

• CVE ID: CVE-2026-4365
• Affected component: LearnPress plugin for WordPress
• Affected versions: all versions up to and including 4.3.2.8
• Published: April 14, 2026 at 2:16:05 AM UTC
• Last modified: April 14, 2026 at 2:16:05 AM UTC
• CVSS v3.1: Base score 9.1 – CRITICAL; Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
• Authentication / privileges / user interaction: Privileges required: NONE; User interaction: NONE; Attack vector: NETWORK; Attack complexity: LOW
• Impact: Confidentiality: NONE; Integrity: HIGH; Availability: HIGH
• CWE: CWE-862 (Missing Authorization)

Technical Details

The plugin exposes a wp_rest nonce in frontend HTML via lpData. That nonce is used as the only protection for AJAX requests routed through the lp-load-ajax dispatcher. The delete_question_answer() action does not implement a capability check or an ownership check, so possession of the publicly available nonce and a crafted POST request allows deletion of quiz answer options without authentication.

Because the nonce is present in public-facing HTML, an unauthenticated actor can retrieve it and submit the deletion request. The vulnerability is an authorization bypass that directly impacts data integrity and can also affect availability of quiz functionality by removing answer options. The description does not indicate any confidentiality impact from this issue.

How This Could Impact Your Website

In a typical site setup, a site owner publishes courses and instructors or staff create quizzes and manage questions. An external unauthenticated actor could remove quiz answer options without signing in, leading to problems such as broken quizzes, incorrect grading, or missing content for students. Internal staff will need to investigate, restore content, and verify quiz integrity. An external contractor or contributor who manages course content may be unable to rely on existing quiz data until the issue is addressed and verified.

The practical consequences include loss of quiz data integrity, disrupted course delivery, increased support and recovery effort, and potential confusion for enrolled users. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles and permissions, especially for contributors and content editors.
• Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
• Remove unused or unmaintained plugins from your site.
• Monitor site activity and logs for unusual behavior or repeated requests to AJAX endpoints.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/Ajax/AbstractAjax.php#L33
• https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/Ajax/EditQuestionAjax.php#L285
• https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/class-lp-assets.php#L177
• https://www.wordfence.com/threat-intel/vulnerabilities/id/021bd566-1663-46ba-a616-ab554b691cbb?source=cve