Esta página ainda não foi traduzida para o seu idioma. Exibindo conteúdo em inglês enquanto trabalhamos nisso.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-7648: Payment Bypass in LearnPress WordPress LMS
Plataforma
wordpress
Componente
learnpress
Corrigido em
4.3.6
CVE-2026-7648 is a payment bypass vulnerability discovered in the LearnPress WordPress LMS plugin. This flaw allows authenticated attackers, even those with subscriber-level access, to enroll in paid courses without charge. The vulnerability affects versions 0.0.0 through 4.3.5 of the plugin and has been resolved in version 4.3.6.
Detecte esta CVE no seu projeto
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Impacto e Cenários de Ataquetraduzindo…
The primary impact of CVE-2026-7648 is the ability for attackers to gain free access to paid courses within a LearnPress-powered WordPress site. This can result in significant revenue loss for course creators and platform owners. An attacker could systematically enroll in all paid courses, potentially disrupting the platform's business model. While requiring authentication (subscriber level or higher), the relatively low access threshold expands the potential attack surface. This vulnerability shares similarities with other API parameter manipulation flaws where unsanitized input leads to unintended function behavior.
Contexto de Exploraçãotraduzindo…
CVE-2026-7648 was published on 2026-05-14. Its severity is currently assessed as medium. No public exploits or proof-of-concept code have been publicly disclosed at the time of writing. It is not currently listed on KEV or EPSS, indicating a low to medium probability of active exploitation. Monitor WordPress security forums and vulnerability databases for any updates.
Inteligência de Ameaças
Status do Exploit
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Baixo — qualquer conta de usuário válida é suficiente.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Inalterado — impacto limitado ao componente vulnerável.
- Confidentiality
- Nenhum — sem impacto na confidencialidade.
- Integrity
- Baixo — o atacante pode modificar alguns dados com alcance limitado.
- Availability
- Nenhum — sem impacto na disponibilidade.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2026-7648 is to immediately upgrade the LearnPress plugin to version 4.3.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the vulnerable REST API endpoint. WordPress firewall (WAF) rules could be implemented to filter requests containing suspicious parameters in the addtocart() function. Regularly review user roles and permissions to ensure the principle of least privilege is enforced, limiting the potential impact of compromised subscriber accounts. After upgrading, confirm the fix by attempting to enroll in a paid course with a subscriber-level user account and verifying that payment is required.
Como corrigir
Atualize para a versão 4.3.6, ou uma versão corrigida mais recente
Perguntas frequentestraduzindo…
What is CVE-2026-7648 — Payment Bypass in LearnPress WordPress LMS?
CVE-2026-7648 is a medium severity vulnerability in LearnPress WordPress LMS versions 0.0.0–4.3.5 that allows authenticated attackers to bypass payment and enroll in paid courses for free due to improper handling of request parameters.
Am I affected by CVE-2026-7648 in LearnPress WordPress LMS?
Yes, if your WordPress site uses the LearnPress plugin and is running version 4.3.5 or earlier, you are affected by this vulnerability. Upgrade to version 4.3.6 to mitigate the risk.
How do I fix CVE-2026-7648 in LearnPress WordPress LMS?
The recommended fix is to upgrade the LearnPress plugin to version 4.3.6 or later. If immediate upgrade is not possible, consider temporary restrictions on the vulnerable API endpoint.
Is CVE-2026-7648 being actively exploited?
Currently, there are no publicly disclosed exploits or active campaigns targeting CVE-2026-7648. However, it's crucial to apply the patch promptly to prevent potential future exploitation.
Where can I find the official LearnPress advisory for CVE-2026-7648?
Refer to the official LearnPress plugin website and WordPress security announcements for the latest information and advisory regarding CVE-2026-7648: [https://www.learnpress.com/](https://www.learnpress.com/)
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Detecte esta CVE no seu projeto
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Escaneie seu projeto WordPress agora — sem conta
Faça upload de qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Receba um relatório de vulnerabilidades instantaneamente. Fazer upload de um arquivo é só o começo: com uma conta, você obtém monitoramento contínuo, alertas por Slack/email, relatórios multiprojeto e white-label.
Arraste e solte seu arquivo de dependências
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...