WordPress Plugin Vulnerabilities

LearnPress < 3.2.6.9 - Authenticated Post Creation and Status Modification

Description

The LearnPress plugin for WordPress allows authenticated remote attackers with minimal permissions to create pages with arbitrary titles, or modify the publication status of any existing page, via the learnpress_create_page or learnpress_update_order_status AJAX actions.

Affects Plugins

Plugin icon
learnpress
Fixed in 3.2.6.9

References

CVE
CVE-2020-11510
URL
https://www.wordfence.com/blog/2020/04/high-severity-vulnerabilities-patched-in-learnpress/

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Ramuel Gall (Wordfence)
Submitter
Ramuel Gall
Verified
No
WPVDB ID
d9e0311d-8430-4c9f-9b04-8cd022c9b7c0

Timeline

Publicly Published
2020-04-28 (about 6 years ago)
Added
2020-04-28 (about 6 years ago)
Last Updated
2020-04-29 (about 6 years ago)

Other

Published
Title
Published
2023-11-24
Title
Theme My Login 2FA < 1.2 - Lack of Rate Limiting
Published
2026-04-14
Title
Visa Acceptance Solutions <= 2.1.0 - Unauthenticated Authentication Bypass via Billing Email
Published
2024-08-12
Title
JobSearch <= 2.3.4 - Authentication Bypass to Account Takeover
Published
2014-08-01
Title
Delightful Downloads 1.3.1.1 - meta-boxes.php dedo_meta_boxes_save Function Multiple Action Authorization Bypass
Published
2026-05-04
Title
MoreConvert Pro < 1.9.15 - Authentication Bypass via Waitlist Guest Verification Token Reuse