MEDIUM 5.3

CVE-2026-8502: LearnPress LMS Plugin Sensitive Data Exposure Vulnerability

The LearnPress WordPress LMS plugin contains a flaw that lets unauthenticated attackers read sensitive course data. By crafting a specific request to the courses API endpoint with two parameters (c_status=all and return_type=json), an attacker can bypass intended access controls and retrieve plaintext passwords for protected courses, as well as unpublished course content, author names, and other metadata. The vulnerability affects all versions up to 4.3.6.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-862
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the 'return_type' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including the plaintext post_password of password-protected courses and the full post_content, post_author, and post_name of unpublished draft, private, and pending courses via the unrestricted SELECT * fallback query. Exploitation requires supplying both c_status=all (to bypass the publish-only post_status WHERE clause) and return_type=json (to prevent the safe DISTINCT(ID) AS ID field override) in a single unauthenticated request to the /wp-json/lp/v1/courses/archive-course endpoint.

14 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8502 exploits insufficient access controls in the LearnPress plugin's /wp-json/lp/v1/courses/archive-course REST endpoint. The vulnerability stems from two design flaws: first, the c_status=all parameter bypasses the default WHERE clause that restricts results to published posts; second, return_type=json prevents the application of a safe field override that would normally restrict output to post IDs only. Together, these parameters allow an unrestricted SELECT * query to execute, exposing the full post object including post_password (in plaintext), post_content, post_author, and post_name fields. The flaw affects all plugin versions through 4.3.6 and requires no authentication or user interaction.

Business impact

Organizations running WordPress sites with LearnPress for course delivery face exposure of course intellectual property, instructor/author identities, and plaintext course access credentials. An attacker could enumerate and extract entire course libraries, including draft and private materials, without authentication. For education providers, SaaS platforms, and corporate training operations, this represents a direct threat to confidential training content, pricing strategies embedded in course metadata, and student learning paths. Remediation delays compound risk as the exploit is trivial to execute at scale.

Affected systems

The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses in all versions up to and including 4.3.6 is vulnerable. Any WordPress installation with this plugin active is at risk, regardless of WordPress version or other plugins, provided the REST API is enabled (default on WordPress 4.7+). The vulnerability is pre-authentication, so no WordPress user account is required to exploit it.

Exploitability

Exploitability is high. The vulnerability requires only two URL parameters in an unauthenticated HTTP GET request to a standard WordPress REST endpoint. No special tools, credentials, or user interaction are needed. The endpoint is discoverable via WordPress plugin enumeration or public GitHub repositories. An attacker can systematically extract all course metadata by iterating through possible course IDs or by using the archive endpoint's pagination. The CVSS score of 5.3 (MEDIUM) reflects confidentiality impact but no integrity or availability damage; however, the ease of exploitation and lack of authentication requirements make practical risk assessment skew higher for organizations with sensitive course content.

Remediation

Upgrade the LearnPress plugin to a version that remediates this vulnerability. Verify the corrected version against the official LearnPress plugin repository or vendor advisory to confirm the fix is included. As an interim compensating control, restrict REST API access to authenticated users via WordPress security plugins or web application firewall rules, though this may break legitimate API consumers. Organizations should audit access logs for the /wp-json/lp/v1/courses/archive-course endpoint to detect potential exploitation attempts using the c_status=all and return_type=json parameter combination.

Patch guidance

Check the official LearnPress plugin page on WordPress.org and the vendor's security advisory for the specific patched version that addresses CVE-2026-8502. Versions after 4.3.6 are expected to be safe, but verify against the advisory before deploying. Apply patches to all WordPress installations running the plugin. If automatic updates are not enabled, manually download and install the corrected version. Test in a staging environment first to ensure course functionality and API integrations remain intact.

Detection guidance

Monitor access logs and WAF logs for requests to /wp-json/lp/v1/courses/archive-course that include both c_status=all and return_type=json parameters. Successful exploitation will return HTTP 200 with full post objects containing password and content fields. Log analysis tools and SIEM systems should create rules to alert on this parameter combination from unauthenticated sources. Additionally, audit WordPress debug logs (if enabled) for REST API calls from non-logged-in users to this endpoint. File integrity monitoring can detect unauthorized plugin modifications or installation of malicious forks.

Why prioritize this

Despite a MEDIUM CVSS score, this vulnerability should be prioritized for organizations handling proprietary training content, premium courses, or draft intellectual property. The exploit is trivial (two parameters in a URL), requires no authentication, and affects a widely used LMS plugin. While not in the KEV catalog as of publication, the low barrier to exploitation and direct impact on confidentiality of high-value assets warrant prompt remediation. Delay increases exposure window for data exfiltration at scale.

Risk score, explained

The CVSS v3.1 score of 5.3 reflects a network-accessible, low-complexity attack requiring no privileges or user interaction, with a localized confidentiality impact and no integrity or availability impact. The MEDIUM severity accounts for the fact that sensitive data exposure (passwords and unpublished content) does not directly compromise system availability or allow modification of data. However, context matters: for organizations with valuable, proprietary, or regulated training content, the practical risk exceeds the numerical score due to ease of exploitation and lack of authentication barriers.

Frequently asked questions

How do I know if my WordPress site is vulnerable?

Check if the LearnPress plugin is installed and active on your WordPress site. If you are running version 4.3.6 or earlier, you are vulnerable. You can see the plugin version under Plugins in the WordPress admin dashboard. If unsure, check the plugin file wp-content/plugins/learnpress/learnpress.php for the Version header.

What data can an attacker extract?

An unauthenticated attacker can retrieve plaintext passwords for password-protected courses, the full text of draft, private, and pending course content, course author names, and course slugs/names. No other WordPress database fields are exposed unless they are stored in the post_password or post_content fields by the plugin.

Do I need to change all course passwords after patching?

Yes, if your site was running the vulnerable version. Assume that any attacker with network access has already extracted plaintext course passwords. After patching and upgrading the plugin, change all course passwords and consider forcing course re-enrollment or access review for users who previously accessed password-protected courses.

Is the vulnerability in the WordPress core or just the plugin?

The vulnerability is specific to the LearnPress plugin's REST API endpoint implementation. WordPress core and other plugins are not affected. Disabling or removing the LearnPress plugin eliminates this specific risk, though you would lose course management functionality.

This analysis is based on publicly disclosed vulnerability information and vendor advisory data current as of publication date. CVSS scores and severity ratings reflect NIST and vendor assessments and may not account for all organizational contexts. No exploit code or weaponized proof-of-concept is provided herein. Organizations must verify patch availability and compatibility in their specific WordPress environments before deployment. SEC.co and its authors provide no warranty regarding the completeness or accuracy of mitigation strategies and recommend consulting with your security team and the plugin vendor for environment-specific guidance. This is educational material for security professionals and does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).