CVE-2026-7648: Payment Bypass in LearnPress WordPress LMS
Platform
wordpress
Component
learnpress
Fixed in
4.3.6
CVE-2026-7648 is a payment bypass vulnerability discovered in the LearnPress WordPress LMS plugin. This flaw allows authenticated attackers, even those with subscriber-level access, to enroll in paid courses without charge. The vulnerability affects versions 0.0.0 through 4.3.5 of the plugin and has been resolved in version 4.3.6.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The primary impact of CVE-2026-7648 is the ability for attackers to gain free access to paid courses within a LearnPress-powered WordPress site. This can result in significant revenue loss for course creators and platform owners. An attacker could systematically enroll in all paid courses, potentially disrupting the platform's business model. While requiring authentication (subscriber level or higher), the relatively low access threshold expands the potential attack surface. This vulnerability shares similarities with other API parameter manipulation flaws where unsanitized input leads to unintended function behavior.
Exploitation Context
CVE-2026-7648 was published on 2026-05-14. Its severity is currently assessed as medium. No public exploits or proof-of-concept code have been publicly disclosed at the time of writing. It is not currently listed on KEV or EPSS, indicating a low to medium probability of active exploitation. Monitor WordPress security forums and vulnerability databases for any updates.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
Mitigation and Workarounds
The primary mitigation for CVE-2026-7648 is to immediately upgrade the LearnPress plugin to version 4.3.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the vulnerable REST API endpoint. WordPress firewall (WAF) rules could be implemented to filter requests containing suspicious parameters in the addtocart() function. Regularly review user roles and permissions to ensure the principle of least privilege is enforced, limiting the potential impact of compromised subscriber accounts. After upgrading, confirm the fix by attempting to enroll in a paid course with a subscriber-level user account and verifying that payment is required.
How to fix
Update to version 4.3.6, or a newer patched version
Frequently asked questions
What is CVE-2026-7648 — Payment Bypass in LearnPress WordPress LMS?
CVE-2026-7648 is a medium severity vulnerability in LearnPress WordPress LMS versions 0.0.0–4.3.5 that allows authenticated attackers to bypass payment and enroll in paid courses for free due to improper handling of request parameters.
Am I affected by CVE-2026-7648 in LearnPress WordPress LMS?
Yes, if your WordPress site uses the LearnPress plugin and is running version 4.3.5 or earlier, you are affected by this vulnerability. Upgrade to version 4.3.6 to mitigate the risk.
How do I fix CVE-2026-7648 in LearnPress WordPress LMS?
The recommended fix is to upgrade the LearnPress plugin to version 4.3.6 or later. If immediate upgrade is not possible, consider temporary restrictions on the vulnerable API endpoint.
Is CVE-2026-7648 being actively exploited?
Currently, there are no publicly disclosed exploits or active campaigns targeting CVE-2026-7648. However, it's crucial to apply the patch promptly to prevent potential future exploitation.
Where can I find the official LearnPress advisory for CVE-2026-7648?
Refer to the official LearnPress plugin website and WordPress security announcements for the latest information and advisory regarding CVE-2026-7648: [https://www.learnpress.com/](https://www.learnpress.com/)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...