VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 65 known issues Latest disclosed Apr 07, 2026

LearnPress – WordPress LMS Plugin for Create and Sell Online Courses Vulnerabilities

Review known vulnerability records for the WordPress plugin LearnPress – WordPress LMS Plugin for Create and Sell Online Courses (`learnpress`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-4333, CVE-2026-3225 and CVE-2026-3226, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
65
High or Critical
21
Patch Coverage
100%
Last Updated
Apr 08, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for LearnPress – WordPress LMS Plugin for Create and Sell Online Courses so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
65 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
8 critical and 13 high severity findings.
Recent CVEs
CVE-2026-4333, CVE-2026-3225 and CVE-2026-3226
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for LearnPress – WordPress LMS Plugin for Create and Sell Online Courses

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-4333
LearnPress <= 4.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'skin' Shortcode Attribute

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skin' attribute of the learn_press_courses shortcode in all versions up to and including 4.3.3. This is due to insufficient input sanitization and output escaping on t...

Published
Apr 07, 2026
Patched Release
4.3.4
Affected Versions
Versions up to 4.3.3
Next Step
Update to 4.3.4 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-3225
LearnPress <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Answer Deletion

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized deletion of quiz question answers due to a missing capability check in the delete_question_answer() function of the EditQuestionAjax class in all versions up to, and including, 4.3.2.8. The A...

Published
Mar 23, 2026
Patched Release
4.3.3
Affected Versions
Versions up to 4.3.2.8
Next Step
Update to 4.3.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-3226
LearnPress <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Notification Triggering

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized email notification triggering due to missing capability checks on all 10 functions in the SendEmailAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax()...

Published
Mar 11, 2026
Patched Release
4.3.3
Affected Versions
Versions up to 4.3.2.8
Next Step
Update to 4.3.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-14798
LearnPress – WordPress LMS Plugin <= 4.3.2.4 - Missing Authorization to Unauthenticated Sensitive User Information Disclosure via REST API

The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user...

Published
Jan 19, 2026
Patched Release
4.3.2.5
Affected Versions
Versions up to 4.3.2.4
Next Step
Update to 4.3.2.5 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-14802
LearnPress – WordPress LMS Plugin <= 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material Deletion

The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorizatio...

Published
Jan 06, 2026
Patched Release
4.3.2.2
Affected Versions
Versions up to 4.3.2.1
Next Step
Update to 4.3.2.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-13964
LearnPress – WordPress LMS Plugin <= 4.3.2 - Missing Authentication to Unauthenticated Course Modification

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to modif...

Published
Jan 05, 2026
Patched Release
4.3.2.1
Affected Versions
Versions up to 4.3.2
Next Step
Update to 4.3.2.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-13956
LearnPress – WordPress LMS Plugin <= 4.3.1 - Missing Authorization to Unauthenticated Orders Statistics Exposure

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin...

Published
Dec 15, 2025
Patched Release
4.3.2
Affected Versions
Versions up to 4.3.1
Next Step
Update to 4.3.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-14387
LearnPress – WordPress LMS Plugin <= 4.3.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via get_profile_social

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-leve...

Published
Dec 15, 2025
Patched Release
4.3.2
Affected Versions
Versions up to 4.3.1
Next Step
Update to 4.3.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-66054
LearnPress <= 4.2.9.4 - Missing Authorization

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.2.9.4. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published
Nov 30, 2025
Patched Release
4.3.0
Affected Versions
Versions up to 4.2.9.4
Next Step
Update to 4.3.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-11368
LearnPress – WordPress LMS Plugin <= 4.2.9.4 - Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary ca...

Published
Nov 20, 2025
Patched Release
4.3.0
Affected Versions
Versions up to 4.2.9.4
Next Step
Update to 4.3.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-67536
LearnPress <= 4.2.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.2.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to i...

Published
Nov 06, 2025
Patched Release
4.3.0
Affected Versions
Versions up to 4.2.9.4
Next Step
Update to 4.3.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-11372
LearnPress – WordPress LMS Plugin <= 4.2.9.3 - Missing Authorization to Unauthenticated Database Table Manipulation

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to modification of data in all versions up to, and including, 4.2.9.2. This is due to missing capability checks on the Admin Tools REST endpoints which are registered with permission_callback set to __return...

Published
Oct 17, 2025
Patched Release
4.2.9.4
Affected Versions
Versions up to 4.2.9.3
Next Step
Update to 4.2.9.4 or newer if supported.
Open Full Report Open CVE Reference