CVE-2026-8502 MEDIUM

CVE-2026-8502: LearnPress <= 4.3.6 - Unauthenticated Sensitive Information Exposure via 'c_status' and 'return_type' Parameters

Vendor Thimpress
Product LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
Weakness CWE-862 · Missing authorization
Published June 6, 2026
Last update June 6, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the 'return_type' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including the plaintext post_password of password-protected courses and the full post_content, post_author, and post_name of unpublished draft, private, and pending courses via the unrestricted SELECT * fallback query. Exploitation requires supplying both c_status=all (to bypass the publish-only post_status WHERE clause) and return_type=json (to prevent the safe DISTINCT(ID) AS ID field override) in a single unauthenticated request to the /wp-json/lp/v1/courses/archive-course endpoint.

Explanation of Vulnerability in Simple Terms

02Summary

LearnPress versions up to 4.3.6 lack proper authorization checks, allowing unauthenticated attackers to read sensitive information. The vulnerability requires no user interaction and can be exploited over the network. Site administrators should update to a version newer than 4.3.6 to prevent unauthorized data disclosure.

What an attacker can do

03Attacker Capabilities

Read sensitive information without logging in.

Potential impact on your site

04Site Impact

Unauthorized users can access confidential course or student data stored in LearnPress.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 6, 2026 CVE published
June 6, 2026 Record updated