Platform
wordpress
Component
learnpress
Fixed in
4.3.3
4.3.3
CVE-2026-4365 is a critical vulnerability affecting the LearnPress WordPress LMS plugin. It allows unauthenticated attackers to delete quiz answer options due to a missing capability check in the deletequestionanswer() function and improper nonce handling. This vulnerability impacts versions of LearnPress up to and including 4.3.2.8, and a patch is available in version 4.3.3.
CVE-2026-4365 in the LearnPress WordPress LMS plugin allows unauthenticated attackers to delete data due to a missing capability check on the deletequestionanswer() function. The plugin exposes a wprest nonce in public frontend HTML (lpData) and uses it as the sole security gate for the lp-load-ajax AJAX dispatcher. The lack of a capability or ownership check on the deletequestion_answer action means an attacker can delete course content without authentication. This poses a significant risk to the integrity of online learning platforms, potentially impacting users and administrators. The CVSS score of 9.1 highlights the critical severity of this vulnerability.
The vulnerability is exploited through a manipulated AJAX request. An attacker, without authentication, can send a request to the lp-load-ajax endpoint with a lpData nonce obtained from the public frontend. The absence of capability checks allows the deletequestionanswer() function to be executed, deleting questions and answers from the course. The ease of access to the nonce and lack of access controls make this vulnerability particularly concerning. Exploitation does not require advanced technical skills, increasing the risk of automated attacks.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation is to update the LearnPress plugin to version 4.3.3 or later. This version includes the security fix that implements the necessary capability checks to protect the deletequestionanswer() function. Additionally, review WordPress security configurations, including strong password enforcement, regular plugin and theme updates, and limiting user privileges. Monitoring server logs for suspicious activity can also aid in detection and response. Consider implementing a Web Application Firewall (WAF) for an additional layer of protection.
Update to version 4.3.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
A nonce (number used once) is a security token used to prevent Cross-Site Request Forgery (CSRF) attacks. In this case, inadequate validation of the lpData nonce allows attackers to forge requests.
If immediate updating is not possible, consider implementing temporary mitigation measures, such as restricting access to the admin panel and monitoring server logs for suspicious activity.
Check the version of the LearnPress plugin. If you are using a version prior to 4.3.3, you are vulnerable. You can also search server logs for unauthorized access attempts to the deletequestionanswer() function.
Some WordPress vulnerability scanning tools may detect this vulnerability. However, updating the plugin is the most effective solution.
A CVSS score of 9.1 indicates a critical risk. It signifies that the vulnerability is easily exploitable and can have a significant impact on the confidentiality, integrity, and availability of the system.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.