LearnPress < 4.3.0 - Arbitrary Callback Execution to Information Exposure

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/loadcontentviaajax which allows arbitrary callback execution of...

PT-2026-47194

Name of the Vulnerable Software and Affected Versions Cordova Plugin InAppBrowser versions 3.1.0 through 6.0.0 Description The iOS implementation of the InAppBrowser plugin fails to validate the id field from a WKScriptMessage body before passing it to the commandDelegate...

CVE-2026-39368

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege...

CVE-2025-11368 LearnPress – WordPress LMS Plugin <= 4.2.9.4 - Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/loadcontentviaajax which allows arbitrary callback execution of...

CVE-2025-11368

The CWE/CVE entry CVE-2025-11368 maps to the LearnPress WordPress LMS Plugin. Affected versions are up to 4.2.9.4 (and versions prior to 4.2.9.5 as per PT-2025-47660). The root cause is missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax, enabling arbitrary callbac...