CVE-2026-3226
Unauthorized Email Notification Trigger in LearnPress LMS Plugin
Publication date: 2026-03-12
Last updated on: 2026-03-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thimpress | learnpress | to 4.3.2.8 (inc) |
| thimpress | learnpress | 4.3.2.7 |
| thimpress | learnpress | 4.3.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The vulnerability in the LearnPress WordPress LMS Plugin exists because the plugin's SendEmailAjax class lacks proper capability checks on all its email notification functions. Although the AJAX dispatcher verifies a wp_rest nonce, it does not check user permissions with current_user_can() before executing email-related functions."}, {'type': 'paragraph', 'content': 'Since the wp_rest nonce is embedded in frontend JavaScript accessible to all authenticated users (Subscriber-level and above), an attacker with such access can trigger arbitrary email notifications to admins, instructors, and users.'}, {'type': 'paragraph', 'content': 'This allows unauthorized users to send emails impersonating admin decisions or flood inboxes, exploiting missing permission checks in the AJAX email sending handlers.'}] [1, 3, 5]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing authenticated users with low-level access (Subscriber and above) to send unauthorized email notifications through the LearnPress plugin.
- Email flooding: Attackers can send large volumes of emails to admins, instructors, and users, potentially overwhelming inboxes.
- Social engineering: Attackers can impersonate admin decisions or instructor requests, misleading recipients.
- Impersonation: Unauthorized emails may appear legitimate, damaging trust and causing confusion.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized triggering of email notifications via AJAX requests in the LearnPress WordPress plugin. Detection can focus on monitoring AJAX requests to the LearnPress plugin endpoints, especially those invoking email sending functions without proper capability checks.'}, {'type': 'paragraph', 'content': "Specifically, you can look for suspicious POST requests containing the parameter 'lp-load-ajax' targeting the SendEmailAjax class methods, which are responsible for sending emails. Since the vulnerability allows authenticated users with Subscriber-level access and above to trigger these emails, monitoring authenticated user activity for unusual email-triggering AJAX calls is important."}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': "Using web server logs (e.g., Apache or Nginx), grep for requests containing 'lp-load-ajax' and 'SendEmailAjax' or related email sending actions."}, {'type': 'list_item', 'content': "Example command to search access logs for suspicious AJAX calls: \n`grep 'lp-load-ajax' /var/log/apache2/access.log | grep 'SendEmailAjax'`"}, {'type': 'list_item', 'content': "Monitor WordPress AJAX endpoints for POST requests with 'nonce' parameters and 'lp-load-ajax' values related to email sending."}, {'type': 'list_item', 'content': 'Use WordPress debugging or logging plugins to log AJAX requests and user capabilities to identify unauthorized email triggers.'}, {'type': 'paragraph', 'content': 'Because the vulnerability exploits missing capability checks in AJAX handlers, reviewing plugin code or logs for calls to SendEmailAjax methods without proper permission checks can also help detect attempts.'}] [1, 5]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating the LearnPress plugin to a version where the vulnerability is fixed, specifically version 4.3.3 or later, which introduces proper permission checks.'}, {'type': 'paragraph', 'content': 'The security update adds capability checks using `current_user_can(UserModel::ROLE_ADMINISTRATOR)` in the email sending AJAX functions to ensure only administrators can trigger these emails.'}, {'type': 'paragraph', 'content': 'If immediate update is not possible, consider the following temporary mitigations:'}, {'type': 'list_item', 'content': 'Restrict access to AJAX endpoints related to LearnPress email sending by limiting authenticated user roles that can access these endpoints.'}, {'type': 'list_item', 'content': 'Implement web application firewall (WAF) rules to block suspicious AJAX requests attempting to trigger email notifications.'}, {'type': 'list_item', 'content': "Disable or restrict the LearnPress plugin's AJAX email sending functionality via custom code or plugin settings if feasible."}, {'type': 'paragraph', 'content': 'Additionally, sanitize and monitor email sending logs to detect and prevent email flooding or abuse.'}] [3]