WordPress Plugin Vulnerabilities

LearnPress Export Import < 4.1.0 - Reflected Cross-Site Scripting

Description

The LearnPress Export Import plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
learnpress-import-export
Fixed in 4.1.0

References

CVE
CVE-2025-49992
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9e169776-0475-45b8-8e8f-ac98cee558a3

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
LVT-tholv2k
Verified
No
WPVDB ID
023c7936-8d9c-4ca6-89fd-a99ea348ac65

Timeline

Publicly Published
2025-07-22 (about 9 months ago)
Added
2025-12-11 (about 5 months ago)
Last Updated
2026-02-26 (about 2 months ago)

Other

Published
Title
Published
2024-06-06
Title
Theme < 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-03-29
Title
Mighty Classic Pros And Cons <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2019-09-05
Title
WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
Published
2024-11-08
Title
Brand my Footer <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2019-04-18
Title
CarSpot Theme <= 2.1.6 - Authenticated Stored XSS