What the vulnerability does
01Description
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Explanation of Vulnerability in Simple Terms
02Summary
LearnPress versions up to 4.3.1 contain a stored cross-site scripting (XSS) vulnerability that allows authenticated users with low privileges to inject malicious scripts. These scripts execute in the browsers of other users, including site administrators, potentially compromising accounts or stealing sensitive data. The vulnerability affects the plugin's core functionality and impacts all site visitors.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that execute in other users' browsers, including administrators.
Potential impact on your site
04Site Impact
Any logged-in user can inject code that affects other users; admin accounts are at risk.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the WordPress site.
Key dates
06Disclosure timeline
December 15, 2025
CVE published
April 8, 2026
Record updated