Auth bypass in Thimpress Learnpress – Wordpress Lms Plugin For Create And Sell Online Courses
CVE-2026-4365
The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function in all versions up to, and including, 4.3.2.8. The plugin exposes a `wp_rest` nonc…
Vulnerability class: Broken Access Control
EPSS: 0.000 (10.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H.
Affected products
Weakness classification (CWE)
References
- www.wordfence.com/threat-intel/vulnerabilities/id/021bd566-1663-46ba-a616-ab554…
- plugins.trac.wordpress.org/browser/learnpress/trunk/inc/Ajax/EditQuestionAjax.p…
- plugins.trac.wordpress.org/browser/learnpress/trunk/inc/Ajax/AbstractAjax.php
- plugins.trac.wordpress.org/browser/learnpress/trunk/inc/class-lp-assets.php
Frequently asked questions
- What is CVE-2026-4365?
- CVE-2026-4365 is a critical-severity vulnerability in Thimpress Learnpress – Wordpress Lms Plugin For Create And Sell Online Courses, classified under Missing Authorization. CVSS score: 9.1/10. Published 2026-04-14.
- How severe is CVE-2026-4365?
- Critical severity. CVSS v3 base score is 9.1 out of 10.