LearnPress – Course Review < 4.2.0 – Authenticated (Learnpress student+) Stored Cross-Site Scripting | CVE 2026-24361 | Plugin Vulnerabilities

Description

The LearnPress – Course Review plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with learnpress student-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

learnpress-course-review

Fixed in 4.2.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/924b6413-79f2-4f8f-8d73-74dbfb48550c

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Arif Shaikh

Verified

No

WPVDB ID

8b73bdf7-f047-4738-b4e3-71334cb5b88b

Timeline

Publicly Published

2026-01-15 (about 5 months ago)

Added

2026-01-27 (about 4 months ago)

Last Updated

2026-01-27 (about 4 months ago)

Other

Published

Title

Published

2025-03-31

Title

Uptime Robot Plugin for WordPress <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2020-04-24

Title

YOP Poll < 6.1.5 - Authenticated Stored XSS

Published

2026-04-21

Title

Sentence To SEO (keywords, description and tags) <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Permanent keywords' Field

Published

2012-05-15

Title

Leaflet <= 0.0.1 - Cross Site Scripting

Published

2024-02-01

Title

SlimStat Analytics < 5.1.4 - Subscriber+ Stored XSS