Cette page n'a pas encore été traduite dans votre langue. Affichage du contenu en anglais pendant que nous y travaillons.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-7648: Payment Bypass in LearnPress WordPress LMS
Plateforme
wordpress
Composant
learnpress
Corrigé dans
4.3.6
CVE-2026-7648 is a payment bypass vulnerability discovered in the LearnPress WordPress LMS plugin. This flaw allows authenticated attackers, even those with subscriber-level access, to enroll in paid courses without charge. The vulnerability affects versions 0.0.0 through 4.3.5 of the plugin and has been resolved in version 4.3.6.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
The primary impact of CVE-2026-7648 is the ability for attackers to gain free access to paid courses within a LearnPress-powered WordPress site. This can result in significant revenue loss for course creators and platform owners. An attacker could systematically enroll in all paid courses, potentially disrupting the platform's business model. While requiring authentication (subscriber level or higher), the relatively low access threshold expands the potential attack surface. This vulnerability shares similarities with other API parameter manipulation flaws where unsanitized input leads to unintended function behavior.
Contexte d'Exploitationtraduction en cours…
CVE-2026-7648 was published on 2026-05-14. Its severity is currently assessed as medium. No public exploits or proof-of-concept code have been publicly disclosed at the time of writing. It is not currently listed on KEV or EPSS, indicating a low to medium probability of active exploitation. Monitor WordPress security forums and vulnerability databases for any updates.
Renseignement sur les Menaces
Statut de l'Exploit
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Aucun — aucun impact sur la confidentialité.
- Integrity
- Faible — l'attaquant peut modifier certaines données avec un impact limité.
- Availability
- Aucun — aucun impact sur la disponibilité.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2026-7648 is to immediately upgrade the LearnPress plugin to version 4.3.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the vulnerable REST API endpoint. WordPress firewall (WAF) rules could be implemented to filter requests containing suspicious parameters in the addtocart() function. Regularly review user roles and permissions to ensure the principle of least privilege is enforced, limiting the potential impact of compromised subscriber accounts. After upgrading, confirm the fix by attempting to enroll in a paid course with a subscriber-level user account and verifying that payment is required.
Comment corriger
Mettre à jour vers la version 4.3.6, ou une version corrigée plus récente
Questions fréquentestraduction en cours…
What is CVE-2026-7648 — Payment Bypass in LearnPress WordPress LMS?
CVE-2026-7648 is a medium severity vulnerability in LearnPress WordPress LMS versions 0.0.0–4.3.5 that allows authenticated attackers to bypass payment and enroll in paid courses for free due to improper handling of request parameters.
Am I affected by CVE-2026-7648 in LearnPress WordPress LMS?
Yes, if your WordPress site uses the LearnPress plugin and is running version 4.3.5 or earlier, you are affected by this vulnerability. Upgrade to version 4.3.6 to mitigate the risk.
How do I fix CVE-2026-7648 in LearnPress WordPress LMS?
The recommended fix is to upgrade the LearnPress plugin to version 4.3.6 or later. If immediate upgrade is not possible, consider temporary restrictions on the vulnerable API endpoint.
Is CVE-2026-7648 being actively exploited?
Currently, there are no publicly disclosed exploits or active campaigns targeting CVE-2026-7648. However, it's crucial to apply the patch promptly to prevent potential future exploitation.
Where can I find the official LearnPress advisory for CVE-2026-7648?
Refer to the official LearnPress plugin website and WordPress security announcements for the latest information and advisory regarding CVE-2026-7648: [https://www.learnpress.com/](https://www.learnpress.com/)
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Scannez votre projet WordPress maintenant — sans compte
scanZone.subtitle
Glissez-déposez votre fichier de dépendances
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...