Platform
wordpress
Component
learnpress
Fixed in
4.3.4
4.3.4
CVE-2026-4333 represents a Stored Cross-Site Scripting (XSS) vulnerability discovered within the LearnPress WordPress LMS Plugin. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to inject malicious web scripts into pages. The vulnerability affects versions of the plugin up to and including 4.3.3, and a patch is available in version 4.3.4.
CVE-2026-4333 in the LearnPress WordPress LMS plugin poses a significant risk to websites utilizing this Learning Management System (LMS). It allows an attacker to inject malicious JavaScript code into course pages via the 'skin' attribute of the learnpresscourses shortcode. This injected code executes within the browsers of users visiting affected pages, potentially leading to cookie theft, redirection to malicious websites, or page content manipulation. The root cause is insufficient input sanitization of the 'skin' attribute before its use in HTML generation. Websites with a large number of registered course users are particularly vulnerable, as a successful attack could impact many users.
An attacker could exploit this vulnerability by crafting a learnpresscourses shortcode with a malicious value in the 'skin' attribute. This malicious value would contain JavaScript code that executes in the browsers of users visiting the page containing the shortcode. The attacker could inject this shortcode directly into the website's code, or through a vulnerability in another plugin or theme that allows code injection. The ease of exploitation makes this vulnerability a significant concern for LearnPress users.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The recommended solution is to update the LearnPress plugin to version 4.3.4 or higher. This version includes a fix that properly sanitizes the 'skin' attribute input before usage, preventing malicious code injection. Additionally, review existing shortcodes on the website to ensure no untrusted values are used in the 'skin' attribute. If immediate updating isn't possible, a temporary workaround is to disable the learnpresscourses shortcode or restrict access to course pages to authenticated users with administrative privileges. A website backup is crucial before applying any updates or modifications.
Update to version 4.3.4, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
LearnPress is a popular WordPress plugin that allows users to create and sell online courses.
Version 4.3.4 fixes the CVE-2026-4333 vulnerability, preventing malicious code injection.
Disable the learnpresscourses shortcode or restrict access to course pages to administrators.
If you are using a version prior to 4.3.4, your website is vulnerable.
Keep all plugins and themes updated, use strong passwords, and enable two-factor authentication.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.