CVE-2026-3225 MEDIUM

CVE-2026-3225: LearnPress <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Answer Deletion

Vendor Thimpress
Product LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
Weakness CWE-862 · Missing authorization
Published March 23, 2026
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized deletion of quiz question answers due to a missing capability check in the delete_question_answer() function of the EditQuestionAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check, and the QuestionAnswerModel::delete() method only validates minimum answer counts without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete answer options from any quiz question on the site.

Explanation of Vulnerability in Simple Terms

02Summary

LearnPress versions up to 4.3.2.8 lack proper authorization checks, allowing authenticated users to modify course or lesson data they should not have access to. An attacker with a low-privilege account (such as a student) can change content integrity without elevated permissions. The vulnerability requires an existing user account but no additional user interaction.

What an attacker can do

03Attacker Capabilities

Modify course or lesson content that the attacker should not have permission to change.

Potential impact on your site

04Site Impact

Course instructors' and administrators' content can be altered by students or other low-privilege users, compromising course integrity.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress user account (e.g., student or subscriber role).

Key dates

06Disclosure timeline

March 23, 2026 CVE published
April 8, 2026 Record updated