LearnPress – WordPress LMS Plugin for Create and Sell Online Courses WordPress Plugin Security Vulnerabilities | WPScan

56

March 30, 2026

80000

Published

2026-03-23

Title

LearnPress < 4.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Answer Deletion

Fixed in

Fixed in 4.3.3

CVSS

4.3 (medium)

Published

2026-03-11

Title

LearnPress < 4.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Notification Triggering

Fixed in

Fixed in 4.3.3

CVSS

4.3 (medium)

Published

2026-01-19

Title

LearnPress – WordPress LMS Plugin < 4.3.2.5 - Missing Authorization to Unauthenticated Sensitive User Information Disclosure via REST API

Fixed in

Fixed in 4.3.2.5

CVSS

5.3 (medium)

Published

2026-01-06

Title

LearnPress – WordPress LMS Plugin < 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material Deletion

Fixed in

Fixed in 4.3.2.2

CVSS

5.4 (medium)

Published

2026-01-05

Title

LearnPress – WordPress LMS Plugin < 4.3.2.1 - Missing Authentication to Unauthenticated Course Modification

Fixed in

Fixed in 4.3.2.1

CVSS

5.3 (medium)

Published

2025-12-15

Title

LearnPress – WordPress LMS Plugin < 4.3.2 - Missing Authorization to Unauthenticated Orders Statistics Exposure

Fixed in

Fixed in 4.3.2

CVSS

5.3 (medium)

Published

2025-12-15

Title

LearnPress – WordPress LMS Plugin < 4.3.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via get_profile_social

Fixed in

Fixed in 4.3.2

CVSS

6.4 (medium)

Published

2025-11-30

Title

LearnPress < 4.3.0 - Missing Authorization

Fixed in

Fixed in 4.3.0

CVSS

5.3 (medium)

Published

2025-11-20

Title

LearnPress – WordPress LMS Plugin < 4.3.0 - Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure

Fixed in

Fixed in 4.3.0

CVSS

5.3 (medium)

Published

2025-11-06

Title

LearnPress < 4.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Fixed in

Fixed in 4.3.0

CVSS

6.4 (medium)

Published

2025-10-17

Title

LearnPress – WordPress LMS Plugin < 4.2.9.4 - Missing Authorization to Unauthenticated Database Table Manipulation

Fixed in

Fixed in 4.2.9.4

CVSS

6.5 (medium)

Published

2025-03-27

Title

LearnPress < 4.2.7.6 - Missing Authorization

Fixed in

Fixed in 4.2.7.6

CVSS

5.3 (medium)

Published

2025-01-24

Title

LearnPress – WordPress LMS Plugin < 4.2.7.5.1 - Authenticated (LP Instructor+) Stored Cross-Site Scripting via Lesson Name

Fixed in

Fixed in 4.2.7.5.1

CVSS

6.4 (medium)

Published

2025-01-24

Title

LearnPress < 4.2.7.2 - Authenticated (Subscriber+) Open Redirect

Fixed in

Fixed in 4.2.7.2

CVSS

5.4 (medium)

Published

2024-12-24

Title

LearnPress – WordPress LMS Plugin < 4.2.7.5.1 - Admin+ Stored XSS

Fixed in

Fixed in 4.2.7.5.1

CVSS

3.5 (low)

Published

2024-12-24

Title

LearnPress – WordPress LMS Plugin < 4.2.7.5.1 - Admin+ Stored XSS

Fixed in

Fixed in 4.2.7.5.1

CVSS

3.5 (low)

Published

2024-12-09

Title

LearnPress – WordPress LMS Plugin < 4.2.7.4 - Course Material Sensitive Information Exposure via REST API

Fixed in

Fixed in 4.2.7.4

CVSS

5.3 (medium)

Published

2024-11-21

Title

LearnPress < 4.2.7.2 - Admin+ Stored XSS

Fixed in

Fixed in 4.2.7.2

CVSS

3.5 (low)

Published

2024-11-21

Title

LearnPress < 4.2.7.2 - Admin+ Stored XSS

Fixed in

Fixed in 4.2.7.2

CVSS

3.5 (low)

Published

2024-09-11

Title

LearnPress – WordPress LMS Plugin < 4.2.7.1 - Unauthenticated SQL Injection via 'c_fields'

Fixed in

Fixed in 4.2.7.1

CVSS

10 (critical)

Published

2024-09-11

Title

LearnPress – WordPress LMS Plugin < 4.2.7.1 - Unauthenticated SQL Injection via 'c_only_fields'

Fixed in

Fixed in 4.2.7.1

CVSS

10 (critical)

Published

2024-08-07

Title

LearnPress – WordPress LMS Plugin < 4.2.6.9.4 - Authenticated (Contributor+) SQL Injection via order Parameter

Fixed in

Fixed in 4.2.6.9.4

CVSS

8.8 (high)

Published

2024-08-01

Title

LearnPress < 4.2.6.9 - Authenticated (Subscriber+) Insecure Direct Object Reference

Fixed in

Fixed in 4.2.6.9

CVSS

5.4 (medium)

Published

2024-08-01

Title

LearnPress < 4.2.6.9 - Cross-Site Request Forgery

Fixed in

Fixed in 4.2.6.9

CVSS

4.3 (medium)

Published

2024-07-24

Title

LearnPress < 4.2.6.9 - Authenticated (Contributor+) Local File Inclusion

Fixed in

Fixed in 4.2.6.9

CVSS

8.8 (high)

Published

2024-07-01

Title

LearnPress – WordPress LMS Plugin < 4.2.6.8.2 - Unauthenticated Bypass to User Registration

Fixed in

Fixed in 4.2.6.8.2

CVSS

5.3 (medium)

Published

2024-07-01

Title

LearnPress – WordPress LMS Plugin < 4.2.6.8.2 - Missing Authorization to Unauthenticated User Registration Bypass

Fixed in

Fixed in 4.2.6.8.2

CVSS

5.3 (medium)

Published

2024-06-04

Title

LearnPress – WordPress LMS Plugin < 4.2.6.8.1 - Basic Information Disclosure via JSON API

Fixed in

Fixed in 4.2.6.8.1

CVSS

5.3 (medium)

Published

2024-05-21

Title

LearnPress – WordPress LMS Plugin < 4.2.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

Fixed in

Fixed in 4.2.6.7

CVSS

6.4 (medium)

Published

2024-05-09

Title

LearnPress – WordPress LMS Plugin < 4.2.6.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via layout_html Parameter

Fixed in

Fixed in 4.2.6.6

CVSS

6.4 (medium)

Published

2024-05-09

Title

LearnPress – WordPress LMS Plugin < 4.2.6.6 - Unauthenticated Time-Based SQL Injection

Fixed in

Fixed in 4.2.6.6

CVSS

9.8 (critical)

Published

2024-05-09

Title

LearnPress – WordPress LMS Plugin < 4.2.6.6 - Authenticated (Instructor+) Arbitrary File Upload

Fixed in

Fixed in 4.2.6.6

CVSS

8.8 (high)

Published

2024-05-09

Title

LearnPress – WordPress LMS Plugin < 4.2.6.6 - Unauthenticated Bypass to User Registration

Fixed in

Fixed in 4.2.6.6

CVSS

5.3 (medium)

Published

2024-04-18

Title

LearnPress – WordPress LMS Plugin < 4.2.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Fixed in

Fixed in 4.2.6.5

CVSS

6.4 (medium)

Published

2024-04-04

Title

LearnPress < 4.2.6.4 - Authenticated(LP Instructor+) Stored Cross-Site Scripting

Fixed in

Fixed in 4.2.6.4

CVSS

4.4 (medium)

Published

2024-04-04

Title

LearnPress – WordPress LMS Plugin < 4.0.1 - Cross-Site Request Forgery to Privilege Escalation

Fixed in

Fixed in 4.0.1

CVSS

8.8 (high)

Published

2024-04-04

Title

LearnPress < 4.2.6.4 - Insecure Direct Object Reference

Fixed in

Fixed in 4.2.6.4

CVSS

6.5 (medium)

Published

2024-01-03

Title

LearnPress < 4.2.5.8 - Unauthenticated Command Injection

Fixed in

Fixed in 4.2.5.8

CVSS

8.1 (high)

Published

2024-01-02

Title

LearnPress < 4.2.5.8 - Subscriber+ Arbitrary Course Progress Disclosure

Fixed in

Fixed in 4.2.5.8

CVSS

4.3 (medium)

Published

2024-01-02

Title

LearnPress < 4.2.5.8 - Unauthenticated SQLi

Fixed in

Fixed in 4.2.5.8

CVSS

8.6 (high)

Published

2023-11-17

Title

LearnPress < 4.2.5.5 - Reflected Cross-Site Scripting

Fixed in

Fixed in 4.2.5.5

CVSS

7.1 (high)

Published

2023-01-24

Title

LearnPress Plugin < 4.2.0 - Unauthenticated LFI

Fixed in

Fixed in 4.2.0

CVSS

9.3 (critical)

Published

2023-01-24

Title

LearnPress Plugin < 4.2.0 - Subscriber+ SQLi

Fixed in

Fixed in 4.2.0

CVSS

7.7 (high)

Published

2023-01-24

Title

LearnPress Plugin < 4.2.0 - Unauthenticated SQLi

Fixed in

Fixed in 4.2.0

CVSS

8.6 (high)

Published

2022-10-05

Title

LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API

Fixed in

Fixed in 4.1.7.2

CVSS

6.5 (medium)

Published

2022-06-22

Title

LearnPress < 4.1.6.7 - Reflected Cross-Site Scripting

Fixed in

Fixed in 4.1.6.7

CVSS

6.1 (medium)

Published

2022-03-16

Title

LearnPress < 4.1.6 - Reflected Cross-Site Scripting

Fixed in

Fixed in 4.1.6

CVSS

6.1 (medium)

Published

2022-01-26

Title

LearnPress < 4.1.5 - Arbitrary Image Renaming

Fixed in

Fixed in 4.1.5

CVSS

5.0 (medium)

Published

2021-11-09

Title

LearnPress < 4.1.4 - Admin+ SQL Injection

Fixed in

Fixed in 4.1.4

CVSS

6.8 (medium)

Published

2021-10-18

Title

LearnPress < 4.1.3.2 - Admin+ Stored Cross-Site Scripting

Fixed in

Fixed in 4.1.3.2

CVSS

3.5 (low)

Published

2021-09-20

Title

LearnPress < 4.1.3.1 - Multiple Admin+ Stored Cross-Site Scripting

Fixed in

Fixed in 4.1.3.1

CVSS

3.8 (low)

Published

2020-09-09

Title

LearnPress < 3.2.7.3 - CSRF & XSS

Fixed in

Fixed in 3.2.7.3

CVSS

3.5 (low)

Published

2020-04-29

Title

Learnpress < 3.2.6.8 - Authenticated Time Based Blind SQL Injection

Fixed in

Fixed in 3.2.6.8

CVSS

8.5 (high)

Published

2020-04-28

Title

LearnPress < 3.2.6.9 - Authenticated Post Creation and Status Modification

Fixed in

Fixed in 3.2.6.9

CVSS

7.1 (high)

Published

2020-04-28

Title

LearnPress < 3.2.6.9 - Privilege Escalation to "LP Instructor"

Fixed in

Fixed in 3.2.6.9

CVSS

8.6 (high)

Published

2020-03-16

Title

LearnPress < 3.2.6.7 - Privilege Escalation

Fixed in

Fixed in 3.2.6.7

CVSS

6.5 (medium)