What the vulnerability does
01Description
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized deletion of quiz question answers due to a missing capability check in the delete_question_answer() function of the EditQuestionAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check, and the QuestionAnswerModel::delete() method only validates minimum answer counts without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete answer options from any quiz question on the site.
Explanation of Vulnerability in Simple Terms
02Summary
LearnPress versions up to 4.3.2.8 lack proper authorization checks, allowing authenticated users to modify course or lesson data they should not have access to. An attacker with a low-privilege account (such as a student) can change content integrity without elevated permissions. The vulnerability requires an existing user account but no additional user interaction.
What an attacker can do
03Attacker Capabilities
Modify course or lesson content that the attacker should not have permission to change.
Potential impact on your site
04Site Impact
Course instructors' and administrators' content can be altered by students or other low-privilege users, compromising course integrity.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (e.g., student or subscriber role).
Key dates
06Disclosure timeline
March 23, 2026
CVE published
April 8, 2026
Record updated