CVE-2026-7648: Payment Bypass in LearnPress WordPress LMS

The primary impact of CVE-2026-7648 is the ability for attackers to gain free access to paid courses within a LearnPress-powered WordPress site. This directly impacts revenue streams for course creators and potentially exposes course content to unauthorized individuals. While the vulnerability requires authentication (subscriber level or higher), the ease of access makes it a significant risk. An attacker could systematically enroll in all paid courses, potentially disrupting the platform's financial model and undermining the value proposition for paying customers. The potential for abuse extends beyond simple free access; attackers could use this to build a large number of fake accounts to manipulate course rankings or reviews.

1. Reserviert2026-05-01
2. Veröffentlicht2026-05-13
3. Geändert2026-05-14

The primary mitigation for CVE-2026-7648 is to immediately upgrade the LearnPress plugin to version 4.3.6 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement without specific knowledge of the vulnerable endpoint, restricting access to the LearnPress REST API endpoint responsible for adding items to the cart (investigate the addtocart() function call) could offer limited protection. Thoroughly test any configuration changes in a staging environment before applying them to production. After upgrading, confirm the vulnerability is resolved by attempting to enroll in a paid course with a subscriber-level user account and verifying that payment is required.