CVE-2026-4333
Stored XSS in LearnPress Plugin via 'skin' Shortcode Attribute
Publication date: 2026-04-08
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thimpress | learnpress | to 4.3.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The LearnPress WordPress LMS Plugin is vulnerable to Stored Cross-Site Scripting (XSS) through the 'skin' attribute of the learn_press_courses shortcode in all versions up to 4.3.3.
This vulnerability arises because the 'skin' attribute value is not properly sanitized or escaped before being used in an sprintf() call that generates HTML attributes, allowing malicious scripts to be injected.
Authenticated users with Contributor-level access or higher can exploit this to inject arbitrary web scripts that execute whenever any user views the affected page.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access to inject malicious scripts into pages, which will execute in the browsers of users who visit those pages.
Such script execution can lead to theft of user credentials, session hijacking, defacement, or other malicious actions impacting the integrity and security of the website and its users.
Because the attack requires authenticated access, the risk is limited to environments where users have such permissions, but the impact on confidentiality and integrity is significant.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the LearnPress WordPress LMS Plugin version 4.3.3 or earlier is installed and if the 'skin' attribute of the learn_press_courses shortcode is being used in posts or pages.
Since the vulnerability is a Stored Cross-Site Scripting via the 'skin' shortcode attribute, you can search your WordPress database for instances of the shortcode with suspicious or unusual values in the 'skin' attribute.
- Use WP-CLI to search posts for the shortcode usage, for example: wp db query "SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[learn_press_courses%skin=%'"
- Manually inspect the output for any injected scripts or unusual HTML attributes in the 'skin' parameter.
Network detection is difficult because the exploit requires authenticated access and the malicious script is stored and executed in the context of the WordPress site. Monitoring for unusual script execution or unexpected HTML attributes in pages generated by the plugin may help.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the LearnPress plugin to a version later than 4.3.3 where this vulnerability is fixed.
If an update is not immediately possible, restrict Contributor-level and above users from adding or editing content that uses the 'skin' attribute in the learn_press_courses shortcode.
Additionally, review and sanitize any existing content that uses the 'skin' attribute to remove any injected scripts.
Implement security measures such as a Web Application Firewall (WAF) to block malicious payloads and monitor for suspicious activity.