Lucene search
K
ThimpressLearnpress

45 matches found

CVE
CVE
added 2024/09/12 8:30 a.m.214 views

CVE-2024-8522

LearnPress WordPress LMS Plugin (= 4.2.7.1) or apply vendor-supplied security fixes. Technical details and PoCs are available in multiple connected sources (e.g., nuclei template, Exploit DB, Metasploit module).

10CVSS8.8AI score0.63134EPSS
In wild
CVE
CVE
added 2024/01/11 8:32 a.m.185 views

CVE-2023-6634

CVE-2023-6634 affects the LearnPress WordPress plugin. It allows unauthenticated remote code execution via the get_content function by abusing call_user_func with user input in versions up to and including 4.2.5.7. The vulnerability enables execution of arbitrary public functions with a single pa...

9.8CVSS9.9AI score0.08544EPSS
In wild
CVE
CVE
added 2024/09/12 8:30 a.m.181 views

CVE-2024-8529

CVE-2024-8529 – LearnPress : The LearnPress WordPress LMS Plugin (versions ≤ 4.2.7) is vulnerable to unauthenticated SQL injection via the c_fields parameter in the /wp-json/lp/v1/courses/archive-course REST API. This is due to insufficient escaping and lack of proper SQL query preparation, allow...

10CVSS8.8AI score0.11831EPSS
CVE
CVE
added 2020/04/30 2:38 p.m.177 views

CVE-2020-6010

The CVE-2020-6010 entry concerns the WordPress LearnPress plugin prior to 3.2.6.8, where an authenticated SQL injection exists in the _get_items method of LP_Modal_Search_Items via the current_items parameter on post-new.php. Impact stated in sources includes data disclosure/manipulation and pote...

8.8CVSS8.9AI score0.49231EPSS
CVE
CVE
added 2021/07/27 4:56 a.m.149 views

CVE-2020-11511

The CVE-2020-11511 entry concerns the LearnPress WordPress plugin (versions prior to 3.2.6.9). A privilege-escalation flaw exists in the learn_press_accept_become_a_teacher function, where the code does not properly check permissions; remote attackers can escalate privileges to LP Instructor via ...

8.1CVSS8.1AI score0.03209EPSS
CVE
CVE
added 2022/04/11 2:40 p.m.148 views

CVE-2022-0271

The CVE-2022-0271 entry concerns the WordPress LearnPress plugin and affects versions before 4.1.6. The underlying issue is insufficient sanitization/escaping of the lp-dismiss-notice before it is rendered back through the lp_background_single_email AJAX action, resulting in a Reflected Cross-Sit...

6.1CVSS6AI score0.02254EPSS
CVE
CVE
added 2024/01/11 8:32 a.m.144 views

CVE-2023-6567

LearnPress for WordPress is vulnerable to time-based SQL injection via the order_by parameter in versions up to 4.2.5.7 due to insufficient escaping and query preparation. Unauthenticated attackers can append SQL to queries to extract data from the WordPress database. Remediation: update to versi...

9.8CVSS8.1AI score0.51394EPSS
CVE
CVE
added 2024/01/11 6:49 a.m.125 views

CVE-2023-6223

CVE-2023-6223 affects the LearnPress – WordPress LMS Plugin. The issue is an insecure direct object reference (IDOR) in all versions up to and including 4.2.5.7, exposed via the /wp-json/lp/v1/profile/course-tab REST API. Missing validation on the userID parameter lets authenticated users with su...

4.3CVSS5.3AI score0.00347EPSS
Web
CVE
CVE
added 2023/01/24 9:5 a.m.110 views

CVE-2022-47615

CVE-2022-47615 – LearnPress WordPress plugin Affected software: LearnPress – WordPress LMS Plugin, versions

9.8CVSS9.5AI score0.05063EPSS
In wild
CVE
CVE
added 2022/02/28 9:6 a.m.106 views

CVE-2022-0377

Affected software: WordPress LearnPress plugin prior to version 4.1.5. Vulnerability: An arbitrary image rename during profile avatar handling. After uploading and cropping, a POST contains the user-supplied image name; the server renames the file using an MD5 value, allowing an attacker to renam...

4.3CVSS4.5AI score0.03205EPSS
CVE
CVE
added 2024/12/10 12:24 p.m.104 views

CVE-2024-11868

Affected software: LearnPress – WordPress LMS Plugin for WordPress. Vulnerability: Sensitive Information Exposure via the REST API, caused by insecure handling in class-lp-rest-material-controller.php, allowing unauthenticated access to potentially paid course material. Affected versions / scope ...

5.3CVSS5.2AI score0.01131EPSS
In wild
CVE
CVE
added 2024/07/02 11:1 a.m.104 views

CVE-2024-6088

CVE-2024-6088 concerns the LearnPress – WordPress LMS Plugin. Affected: all versions up to and including 4.2.6.8.1. Root cause: missing capability check in the register function, enabling unauthenticated users to bypass disabled registration and create accounts with the default role. Impact: unau...

5.3CVSS5.5AI score0.0062EPSS
CVE
CVE
added 2023/01/24 9:13 a.m.103 views

CVE-2022-45808

LearnPress WordPress LMS plugin

9.9CVSS10AI score0.04269EPSS
CVE
CVE
added 2024/06/05 2:34 a.m.88 views

CVE-2024-5483

LearnPress – WordPress LMS Plugin (LearnPress) CVE-2024-5483: Sensitive Information Exposure in all versions up to 4.2.6.8 due to an incorrect implementation of get_items_permissions_check, allowing unauthenticated attackers to retrieve basic user data, including emails. Remediation provided by c...

5.3CVSS5.5AI score0.01008EPSS
CVE
CVE
added 2020/03/16 5:4 p.m.86 views

CVE-2020-7916

Summary: CVE-2020-7916 affects WordPress LearnPress plugin versions 3.2.6.5 and earlier. The flaw resides in be_teacher in class-lp-admin-ajax.php, allowing any registered/authenticated user to call wp-admin/admin-ajax.php?action=learnpress_be_teacher and grant themselves the teacher role without...

6.5CVSS6.5AI score0.01116EPSS
CVE
CVE
added 2024/01/16 3:54 p.m.78 views

CVE-2023-5558

The LearnPress WordPress plugin prior to version 4.2.5.5 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability caused by insufficient sanitization/escaping of user input before output. The issue can be exploited to run scripts in the context of an admin or high-privilege user. Multi...

6.1CVSS6AI score0.00916EPSS
CVE
CVE
added 2024/05/10 8:32 a.m.78 views

CVE-2024-4434

CVE-2024-4434 (LearnPress) details (Mode C): LearnPress WordPress LMS Plugin ≤ 4.2.6.5 is vulnerable to time-based SQL Injection through the term_id parameter due to insufficient escaping and incomplete query preparation. Unauthenticated attackers can append additional SQL to exfiltrate data from...

9.8CVSS7.4AI score0.36925EPSS
CVE
CVE
added 2024/04/05 7:34 a.m.77 views

CVE-2024-2115

CVE-2024-2115 affects LearnPress – WordPress LMS Plugin up to version 4.0.0. Root cause: missing/incorrect nonce validation in filter_users leading to CSRF. Impact: unauthenticated attackers can elevate privileges to Teacher by tricking an admin into performing an action. Public details in connec...

8.8CVSS8.6AI score0.00273EPSS
CVE
CVE
added 2023/01/24 9:18 a.m.74 views

CVE-2022-45820

CVE-2022-45820 is a SQL Injection vulnerability in LearnPress – WordPress LMS Plugin versions

9.1CVSS9.1AI score0.01005EPSS
CVE
CVE
added 2024/04/09 6:59 p.m.74 views

CVE-2024-1463

CVE-2024-1463 corresponds to LearnPress – WordPress LMS Plugin. It enables Stored XSS via Course, Lesson, and Quiz titles/content due to insufficient input sanitization and output escaping in versions up to 4.2.6.3. Exploitation requires LP Instructor-level authentication; an attacker can inject ...

4.8CVSS7.6AI score0.00426EPSS
CVE
CVE
added 2024/05/22 5:32 a.m.71 views

CVE-2024-4971

CVE-2024-4971 refers to LearnPress – WordPress LMS Plugin. Affected: LearnPress ≤ 4.2.6.6. Issue: Stored Cross-Site Scripting via id parameter (per Wordfence details) arising from input handling; the initial description cites Reflected XSS. Root cause per sources: insufficient input sanitization/...

6.4CVSS6.3AI score0.00295EPSS
CVE
CVE
added 2024/04/19 1:57 a.m.68 views

CVE-2024-3560

Analysis of CVE-2024-3560 (LearnPress – WordPress LMS Plugin) Affected software and issue: LearnPress WordPress LMS Plugin (all versions up to and including 4.2.6.4) shows stored cross‑site scripting (XSS) via the _id attribute. The root cause is insufficient input sanitization and output escapin...

6.4CVSS5.7AI score0.0032EPSS
CVE
CVE
added 2024/04/09 6:58 p.m.67 views

CVE-2024-1289

CVE-2024-1289 affects LearnPress – WordPress LMS Plugin. All versions up to 4.2.6.3 are vulnerable to Insecure Direct Object Reference (IDOR) due to missing validation on a user-controlled key when retrieving order data. Authenticated attackers can view orders placed by other users and guests, en...

6.5CVSS8.8AI score0.00391EPSS
CVE
CVE
added 2022/10/31 12:0 a.m.66 views

CVE-2022-3360

CVE-2022-3360 affects the LearnPress WordPress plugin prior to 4.1.7.2. The issue arises from unserialising user input in an unauthenticated REST API endpoint, enabling PHP Object Injection when a suitable gadget is present and potentially leading to remote code execution (RCE). An attacker must ...

8.1CVSS8.6AI score0.01786EPSS
CVE
CVE
added 2024/05/09 8:3 p.m.66 views

CVE-2024-4397

LearnPress – WordPress LMS Plugin (CVE-2024-4397) is vulnerable to arbitrary file uploads due to missing file type validation in save_post_materials, affecting versions up to 4.2.6.5. Authenticated attackers with Instructor-level permissions (or higher) can upload arbitrary files to the server, w...

8.8CVSS7.5AI score0.01025EPSS
CVE
CVE
added 2024/07/25 10:59 a.m.66 views

CVE-2024-6589

The CVE-2024-6589 entry concerns LearnPress – WordPress LMS Plugin (versions

8.8CVSS8.9AI score0.00814EPSS
CVE
CVE
added 2025/01/25 7:24 a.m.65 views

CVE-2024-13599

CVE-2024-13599 affects LearnPress – WordPress LMS Plugin. A stored Cross-Site Scripting flaw arises from insufficient input sanitization and output escaping of a lesson name, enabling authenticated LP Instructor+ attackers to inject scripts that run when users visit injected pages. Affected versi...

6.4CVSS5.8AI score0.00295EPSS
CVE
CVE
added 2024/08/26 8:56 p.m.65 views

CVE-2024-39641

Summary: CVE-2024-39641 is a CSRF vulnerability in LearnPress (WordPress LMS plugin) affecting LearnPress versions up to 4.2.6.8.2. The vulnerability was fixed in version 4.2.6.9. Affected software: LearnPress – WordPress LMS Plugin. Root cause / impact: Cross-Site Request Forgery; exploitation d...

8.8CVSS7AI score0.00185EPSS
CVE
CVE
added 2024/08/08 5:31 a.m.65 views

CVE-2024-7548

CVE-2024-7548 affects LearnPress – WordPress LMS Plugin. It is a time-based SQL Injection via the order parameter in all versions up to and including 4.2.6.9.3, caused by insufficient escaping and incomplete query preparation. Authenticated attackers with Contributor+ rights can append SQL to ext...

8.8CVSS8.7AI score0.00618EPSS
CVE
CVE
added 2024/12/12 6:0 a.m.65 views

CVE-2024-9881

CVE-2024-9881 affects LearnPress for WordPress: LearnPress plugin versions earlier than 4.2.7.2 fail to sanitize/escape certain settings, enabling stored XSS via admin-level abuse (even if unfiltered_html is disallowed). Root cause per sources is lack of proper sanitization/escaping of settings. ...

4.8CVSS5.7AI score0.0037EPSS
CVE
CVE
added 2024/06/19 2:20 p.m.64 views

CVE-2023-36515

CVE-2023-36515: LearnPress for WordPress (plugin versions

9.8CVSS7.8AI score0.00437EPSS
CVE
CVE
added 2024/12/12 6:0 a.m.64 views

CVE-2024-10010

The CVE-2024-10010 entry concerns LearnPress (WordPress LMS plugin) prior to version 4.2.7.2, where inadequate sanitisation/escaping of certain settings allows Stored XSS by high-privilege users (e.g., admins), including in multisite setups where unfiltered_html is disallowed. Public Red Hat and ...

4.8CVSS5.4AI score0.0045EPSS
CVE
CVE
added 2024/06/19 2:18 p.m.62 views

CVE-2023-36516

CVE-2023-36516 : WordPress LearnPress plugin versions

8.8CVSS7.9AI score0.00406EPSS
CVE
CVE
added 2021/12/13 10:41 a.m.57 views

CVE-2021-24951

The CVE-2021-24951 entry concerns the LearnPress WordPress plugin (prior to version 4.1.4). The exposed issue is a SQL injection in the duplicator flow where the id parameter is not properly sanitized, validated, or escaped before use in SQL statements (affecting course/lesson/quiz/question opera...

9.8CVSS9.6AI score0.01575EPSS
CVE
CVE
added 2021/10/18 1:46 p.m.56 views

CVE-2021-24702

CVE-2021-24702 concerns the LearnPress WordPress plugin. The provided documents describe a vulnerability in which the plugin, in versions before 4.1.3.1, does not properly sanitize or escape inputs in course settings, potentially enabling Cross-Site Scripting (XSS) for high-privilege users when u...

4.8CVSS4.8AI score0.00661EPSS
CVE
CVE
added 2024/07/02 11:1 a.m.56 views

CVE-2024-6099

CVE-2024-6099 affects the LearnPress – WordPress LMS Plugin. The vulnerability is an unauthenticated registration bypass caused by missing authorization checks in the checkout flow (check_validate_fields), enabling an attacker to register with the site’s default role even if registration is disab...

5.3CVSS5.6AI score0.0042EPSS
CVE
CVE
added 2024/05/10 9:32 a.m.55 views

CVE-2024-4277

CVE-2024-4277 affects LearnPress – WordPress LMS Plugin. Affected: all WordPress versions up to and including 4.2.6.5. Root cause: insufficient input sanitization and output escaping in the layout_html parameter. Impact: authenticated attackers with contributor-level access can store scripts that...

6.4CVSS5.7AI score0.0034EPSS
CVE
CVE
added 2021/10/21 7:38 p.m.54 views

CVE-2021-39348

The CVE-2021-39348 entry describes a stored XSS in the LearnPress WordPress plugin caused by insufficient escaping of the $custom_profile parameter in inc/admin/views/backend-user-profile.php. Affected are LearnPress versions up to 4.1.3.1, including multisite setups or admins with unfiltered_htm...

5.5CVSS4.7AI score0.05037EPSS
CVE
CVE
added 2024/05/10 8:32 a.m.50 views

CVE-2024-4444

CVE-2024-4444 affects the LearnPress – WordPress LMS Plugin for WordPress. The vulnerability is in LearnPress versions up to 4.2.6.5 and is caused by missing checks in the checkout’s create_account function, enabling unauthenticated attackers to register as the site’s default role even when regis...

6.5CVSS6.7AI score0.00712EPSS
CVE
CVE
added 2019/01/09 10:0 p.m.48 views

CVE-2018-16173

CVE-2018-16173 affects the WordPress LearnPress plugin prior to version 3.1.0. The vulnerability is a cross-site scripting (XSS) flaw that can let remote attackers inject arbitrary web script or HTML via unspecified vectors, potentially causing arbitrary script execution in the logged-in user’s b...

6.1CVSS6.1AI score0.00952EPSS
CVE
CVE
added 2019/01/09 10:0 p.m.47 views

CVE-2018-16174

The CVE-2018-16174 Open Redirect affects the WordPress LearnPress plugin, specifically versions prior to 3.1.0. The vulnerability allows remote attackers to redirect logged-in users to arbitrary sites, enabling phishing. The OpenVAS and JVN entries corroborate a multi-source disclosure of this is...

6.1CVSS6.3AI score0.01036EPSS
CVE
CVE
added 2025/05/15 8:6 p.m.47 views

CVE-2024-13127

CVE-2024-13127 concerns the LearnPress WordPress LMS Plugin prior to 4.2.7.5.1. The vulnerability arises because the plugin does not sanitize and escape certain settings, enablingStored Cross-Site Scripting (Stored XSS) by high-privilege users (e.g., admins) in multisite scenarios even when unfil...

4.8CVSS7.8AI score0.00266EPSS
CVE
CVE
added 2023/05/18 8:37 a.m.45 views

CVE-2023-30487

CVE-2023-30487 is an unauthenticated cross-site scripting (XSS) vulnerability in the LearnPress Export Import plugin for WordPress. Affected versions are

7.1CVSS6AI score0.00382EPSS
CVE
CVE
added 2025/05/15 8:6 p.m.40 views

CVE-2024-13128

The CVE-2024-13128 entry concerns the LearnPress WordPress plugin prior to version 4.2.7.5.1. According to the provided documents, the vulnerability arises because the plugin does not sanitize and escape certain settings, which could allow high-privilege users (e.g., admins) to perform a Stored C...

4.8CVSS5.7AI score0.00315EPSS
CVE
CVE
added 2019/01/09 10:0 p.m.39 views

CVE-2018-16175

Affected software: WordPress LearnPress plugin (pre-3.1.0). Vulnerability: SQL Injection allowing a user with administrative privileges to execute arbitrary SQL commands via unspecified vectors. Impact: Potential arbitrary SQL execution with full admin rights. Root cause / details: The CVE-2018-1...

7.2CVSS7.3AI score0.01306EPSS