CVE-2026-7648: Payment Bypass in LearnPress WordPress LMS

The primary impact of CVE-2026-7648 is the ability for attackers to gain free access to paid courses within a LearnPress-powered WordPress site. This can result in significant revenue loss for course creators and platform owners. An attacker could systematically enroll in all paid courses, potentially disrupting the platform's business model. While requiring authentication (subscriber level or higher), the relatively low access threshold expands the potential attack surface. This vulnerability shares similarities with other API parameter manipulation flaws where unsanitized input leads to unintended function behavior.

1. 已保留2026-05-01
2. 发布日期2026-05-13
3. 修改日期2026-05-14

The primary mitigation for CVE-2026-7648 is to immediately upgrade the LearnPress plugin to version 4.3.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the vulnerable REST API endpoint. WordPress firewall (WAF) rules could be implemented to filter requests containing suspicious parameters in the addtocart() function. Regularly review user roles and permissions to ensure the principle of least privilege is enforced, limiting the potential impact of compromised subscriber accounts. After upgrading, confirm the fix by attempting to enroll in a paid course with a subscriber-level user account and verifying that payment is required.