Security Alert Summary
The LearnPress 6 WordPress LMS Plugin is affected by a stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 4.3.1. Authenticated users with Subscriber-level access or higher can inject scripts that will execute when other users access an injected page, due to insufficient input sanitization and output escaping.
CVE Details
- CVE ID: CVE-2025-14387
- Affected plugin or component: LearnPress 6 WordPress LMS Plugin
- Affected versions: All versions up to, and including, 4.3.1
- Published: December 15, 2025 at 4:15 PM UTC
- Last modified: December 15, 2025 at 6:22 PM UTC
- CVSS v3.1: Base Score 6.4, MEDIUM 6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / privileges / user interaction: Authenticated attacker required; privileges required: LOW (Subscriber-level and above); user interaction: NONE
- Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
- CWE / weakness ID: CWE-79 (Cross-site Scripting)
Technical Details
The CVE description indicates a stored Cross-Site Scripting (XSS) vulnerability in LearnPress caused by insufficient input sanitization and output escaping. The issue affects all versions up to, and including, 4.3.1. Authenticated users with Subscriber-level access or higher can store attacker-supplied content that includes script, which will execute in the browser of any user who views the injected page.
The entry does not name specific functions, REST API endpoints, or exact code locations where validation or escaping is missing. The root cause described is improper handling of user-supplied data prior to storage and output.
The practical impact is limited to what stored XSS can achieve within the affected site’s privilege model: execution of attacker-supplied script in the context of visiting users, which can lead to disclosure of data available to that user or manipulation of the user’s session or UI. The CVE entry does not specify whether public exploits exist or which plugin version, if any, contains a fix.
How This Could Impact Your Website
On a typical LearnPress-powered site, multiple roles interact with course content. For example, an external contractor or a low-privilege contributor could add or edit course content containing malicious script. When instructors, administrators, or other users view that content, the injected script could execute in their browsers. Consequences may include disclosure of information accessible to the viewing user, unwanted actions performed in the user’s browser, or use of captured information for targeted phishing or social engineering against staff.
This vulnerability’s CVSS impacts indicate limited confidentiality and integrity effects and no availability impact; it does not inherently imply full site compromise. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
- Review and reduce unnecessary user roles, especially contributors and subscribers.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and logs for unusual behavior, particularly after content or user changes.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.