CVE-2024-1463 MEDIUM

CVE-2024-1463: LearnPress <= 4.2.6.3 - Authenticated(LP Instructor+) Stored Cross-Site Scripting

Vendor Thimpress
Product LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
Weakness CWE-79 · XSS
Published April 9, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Course, Lesson, and Quiz title and content in all versions up to, and including, 4.2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with LP Instructor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Key dates

02Disclosure timeline

April 9, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-31730 WordPress Marketer Addons Plugin <= 1.0.1 - Stored Cross Site Scripting (XSS) vulnerability CVE-2022-42362 AEM Reflected XSS Arbitrary code execution CVE-2024-2692 SiYuan 3.0.3 - RCE via Server Side XSS CVE-2024-6361 Improper Neutralization vulnerability (XSS) has been discovered in OpenText™ ALM Octane product. CVE-2024-11854 Listdom – Business Directory and Classified Ads Listings WordPress Plugin <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Parameter