CVE-2026-8502
Sensitive Information Exposure in LearnPress WordPress LMS Plugin
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| thimpress | learnpress | to 4.3.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The LearnPress WordPress LMS Plugin is vulnerable to Sensitive Information Exposure in all versions up to and including 4.3.6. This vulnerability arises from improper handling of the 'return_type' parameter, allowing unauthenticated attackers to extract sensitive data.
Attackers can exploit this by sending a specially crafted request to the /wp-json/lp/v1/courses/archive-course endpoint with parameters c_status=all and return_type=json. This bypasses restrictions and allows access to sensitive information such as plaintext passwords of password-protected courses, as well as full content, author, and name details of unpublished or private courses.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information including plaintext passwords and unpublished course content. Such exposure can compromise the confidentiality of course materials and user data.
An attacker could use this information to gain unauthorized access to protected courses or misuse unpublished content, potentially damaging the reputation of the course provider and leading to loss of trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthenticated HTTP requests to the endpoint /wp-json/lp/v1/courses/archive-course that include the parameters c_status=all and return_type=json.
A possible command to detect such attempts using curl could be:
- curl -I "http://yourwordpresssite.com/wp-json/lp/v1/courses/archive-course?c_status=all&return_type=json"
Network monitoring tools or intrusion detection systems can be configured to alert on requests containing these specific parameters targeting the mentioned endpoint.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the LearnPress WordPress LMS Plugin to a version later than 4.3.6 where this issue is fixed.
Until an update is applied, restrict access to the /wp-json/lp/v1/courses/archive-course endpoint by implementing firewall rules or access controls to block unauthenticated requests containing the parameters c_status=all and return_type=json.
Additionally, monitor logs for suspicious requests to this endpoint and consider temporarily disabling the plugin if an update is not immediately available.