Thimpress Learnpress
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Thimpress Learnpress.
By the Year
In 2026 there have been 9 vulnerabilities in Thimpress Learnpress with an average score of 5.5 out of ten. Last year, in 2025 Learnpress had 13 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Learnpress in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.97
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 9 | 5.53 |
| 2025 | 13 | 6.50 |
| 2024 | 27 | 7.29 |
| 2023 | 4 | 8.63 |
| 2022 | 3 | 6.17 |
| 2021 | 4 | 6.47 |
| 2020 | 2 | 8.80 |
| 2019 | 3 | 6.47 |
It may take a day or so for new Learnpress vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Thimpress Learnpress Security Vulnerabilities
LearnPress 4.3.3 Stored XSS via skin attribute
CVE-2026-4333
6.4 - Medium
- April 08, 2026
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skin' attribute of the learn_press_courses shortcode in all versions up to and including 4.3.3. This is due to insufficient input sanitization and output escaping on the 'skin' shortcode attribute. The attribute value is used directly in an sprintf() call that generates HTML (class attribute and data-layout attribute) without any esc_attr() escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
Auth Bypass in LearnPress Sepay Payment <=4.0.0 (CVE-2026-25002)
CVE-2026-25002
7.5 - High
- March 25, 2026
Authentication Bypass Using an Alternate Path or Channel vulnerability in ThimPress LearnPress – Sepay Payment learnpress-sepay-payment allows Authentication Abuse.This issue affects LearnPress – Sepay Payment: from n/a through <= 4.0.0.
Authentication Bypass Using an Alternate Path or Channel
LearnPress LMS WP Plugin v4.3.2.8: Missing Cap Check Enables Quiz Answer Delete
CVE-2026-3225
4.3 - Medium
- March 23, 2026
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized deletion of quiz question answers due to a missing capability check in the delete_question_answer() function of the EditQuestionAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check, and the QuestionAnswerModel::delete() method only validates minimum answer counts without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete answer options from any quiz question on the site.
AuthZ
LearnPress WP LMS Plugin <=4.3.2.8 Unauth Email Trigger
CVE-2026-3226
4.3 - Medium
- March 12, 2026
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized email notification triggering due to missing capability checks on all 10 functions in the SendEmailAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check before dispatching to handler functions. The wp_rest nonce is embedded in the frontend JavaScript for all authenticated users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger arbitrary email notifications to admins, instructors, and users, enabling email flooding, social engineering, and impersonation of admin decisions regarding instructor requests.
AuthZ
LearnPress Export Import WP Plugin Unauth Data Delete (4.1.0)
CVE-2026-1787
4.8 - Medium
- February 21, 2026
The LearnPress Export Import WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_migrated_data' function in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to delete course that have been migrated from Tutor LMS. The Tutor LMS plugin must be installed and activated in order to exploit the vulnerability.
AuthZ
CVE-2026-24361: Stored XSS in ThimPress LearnPress Course Review <=4.1.9
CVE-2026-24361
6.5 - Medium
- January 22, 2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress – Course Review learnpress-course-review allows Stored XSS.This issue affects LearnPress – Course Review: from n/a through <= 4.1.9.
XSS
LearnPress WP LMS PLUGIN <4.3.2.4: Sensitive Info Exposure via get_item_chk
CVE-2025-14798
5.3 - Medium
- January 20, 2026
The LearnPress WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user first names and last names. Other information such as social profile links and enrollment are also included.
AuthZ
LearnPress 4.3.2.2 Unauth File Deletion via /wp-json/lp/v1/material
CVE-2025-14802
5.4 - Medium
- January 07, 2026
The LearnPress WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id.
Insecure Direct Object Reference / IDOR
Unauth. Data Tampering in LearnPress LMS Plugin 4.3.2 on WP
CVE-2025-13964
5.3 - Medium
- January 06, 2026
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to modify course contents by adding/removing/updating/re-ordering sections or modifying section items.
AuthZ
LearnPress WP Plugin Missing Auth Before 4.2.9.4
CVE-2025-66054
7.5 - High
- December 18, 2025
Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through <= 4.2.9.4.
AuthZ
LearnPress WP LMS Plugin <=4.3.1 Stats Exposure Unauthorized Access
CVE-2025-13956
5.3 - Medium
- December 16, 2025
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders statistics, including total revenue summaries and order status counts
AuthZ
LearnPress LMS Plugin 4.3.1 Stored XSS via Unsanitized Content
CVE-2025-14387
6.4 - Medium
- December 15, 2025
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
Stored XSS in ThimPress LearnPress (<=4.2.9.4)
CVE-2025-67536
6.5 - Medium
- December 09, 2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress learnpress allows Stored XSS.This issue affects LearnPress: from n/a through <= 4.2.9.4.
XSS
LearnPress WP LMS Plugin 4.2.9.4 Sensitive Information Disclosure via REST API
CVE-2025-11368
5.3 - Medium
- November 21, 2025
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs.
Information Disclosure
LearnPress Export Import <=4.0.9 LFI via PHP Include/Require
CVE-2025-60200
7.5 - High
- November 06, 2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress LearnPress Export Import learnpress-import-export allows PHP Local File Inclusion.This issue affects LearnPress Export Import: from n/a through <= 4.1.2.
Remote file include
ThimPress LearnPress Export Import Reflected XSS <=4.0.9
CVE-2025-49992
7.1 - High
- October 22, 2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress Export Import learnpress-import-export allows Reflected XSS.This issue affects LearnPress Export Import: from n/a through <= 4.0.9.
XSS
LearnPress WP LMS Plugin <=4.2.9.2: Unauth Admin Tools REST Mod
CVE-2025-11372
6.5 - Medium
- October 18, 2025
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to modification of data in all versions up to, and including, 4.2.9.2. This is due to missing capability checks on the Admin Tools REST endpoints which are registered with permission_callback set to __return_true. This makes it possible for unauthenticated attackers to perform destructive database operations including dropping indexes on any table (including WordPress core tables like wp_options), creating duplicate configuration entries, and degrading site performance via the /wp-json/lp/v1/admin/tools/create-indexs endpoint granted they can provide table names.
AuthZ
LearnPress WP Plugin <4.2.7.5.1: Stored XSS via Unsanitised Settings
CVE-2024-13128
- May 15, 2025
The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
XSS
LearnPress WP Plugin <4.2.7.5.1 Stored XSS via Unsanitised Settings
CVE-2024-13127
- May 15, 2025
The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
XSS
ThimPress LearnPress: Missing Auth CVE-2025-22739 <=4.2.7.5
CVE-2025-22739
- March 27, 2025
Missing Authorization vulnerability in ThimPress LearnPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through 4.2.7.5.
AuthZ
LearnPress Open-Redirect via URL to Untrusted Site (4.2.7.1)
CVE-2025-24740
- January 27, 2025
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in ThimPress LearnPress learnpress.This issue affects LearnPress: from n/a through <= 4.2.7.1.
Open Redirect
LearnPress WP LMS Plugin <=4.2.7.5 XSS via lesson name (LP Instructor+)
CVE-2024-13599
6.4 - Medium
- January 25, 2025
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.7.5 due to insufficient input sanitization and output escaping of a lesson name. This makes it possible for authenticated attackers, with LP Instructor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
LearnPress WP Plugin 4.2.7.2 Stores XSS via Unsanitized Settings
CVE-2024-9881
- December 12, 2024
The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
XSS
LearnPress WP 4.2.7.2 - Stored XSS via Unsanitized Settings
CVE-2024-10010
- December 12, 2024
The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
XSS
LearnPress WordPress LMS Plugin: Sensitive Information Exposure in REST API
CVE-2024-11868
5.3 - Medium
- December 10, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.3 via class-lp-rest-material-controller.php. This makes it possible for unauthenticated attackers to extract potentially sensitive paid course material.
Authorization
LearnPress WP LMS Plugin 4.2.7 SQLi via c_fields in REST API (unauthenticated)
CVE-2024-8529
10 - Critical
- September 12, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_fields' parameter of the /wp-json/lp/v1/courses/archive-course REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
SQL Injection
LearnPress <=4.2.7 SQLi via c_only_fields WP REST API
CVE-2024-8522
10 - Critical
- September 12, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_only_fields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
SQL Injection
LearnPress CSRF Vulnerability (<=4.2.6.8.2)
CVE-2024-39641
8.8 - High
- August 26, 2024
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress LearnPress.This issue affects LearnPress: from n/a through 4.2.6.8.2.
Session Riding
LearnPress <=4.2.6.8.2 Auth Bypass via User-Key Unconstrained ACL
CVE-2024-39642
- August 13, 2024
Authorization Bypass Through User-Controlled Key vulnerability in ThimPress LearnPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LearnPress: from n/a through 4.2.6.8.2.
Insecure Direct Object Reference / IDOR
LearnPress WP LMS Plugin <=4.2.6.9.3: Time-based SQLi via 'order' Param
CVE-2024-7548
6.5 - Medium
- August 08, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'order' parameter in all versions up to, and including, 4.2.6.9.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
SQL Injection
LearnPress LFI via render_content_block_template (4.2.6.8.2)
CVE-2024-6589
8.8 - High
- July 25, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.6.8.2 via the 'render_content_block_template' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other safe file types can be uploaded and included.
Remote file include
LearnPress LMS Plugin <=4.2.6.8.1: Unauthorized User Reg. Missing Cap
CVE-2024-6088
5.3 - Medium
- July 02, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to bypass disabled user registration to create a new account with the default role.
AuthZ
LearnPress WP LMS Plugin 4.2.6.8.1: Unauth User Reg Bypass
CVE-2024-6099
5.3 - Medium
- July 02, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the 'check_validate_fields' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.
Unprotected Alternate Channel
Missing Auth in ThimPress LearnPress before 4.2.4
CVE-2023-36515
9.8 - Critical
- June 19, 2024
Missing Authorization vulnerability in ThimPress LearnPress.This issue affects LearnPress: from n/a through 4.2.3.
AuthZ
Missing Auth in ThimPress LearnPress 4.2.3
CVE-2023-36516
8.8 - High
- June 19, 2024
Missing Authorization vulnerability in ThimPress LearnPress.This issue affects LearnPress: from n/a through 4.2.3.
AuthZ
LearnPress LMS Plugin <4.2.6.8 Sensitive Info Exposure via get_items_perm_check
CVE-2024-5483
5.3 - Medium
- June 05, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.6.8 due to incorrect implementation of get_items_permissions_check function. This makes it possible for unauthenticated attackers to extract basic information about website users, including their emails
Information Disclosure
LearnPress LMS Plugin v4.2.6.6: Reflected XSS via id Param
CVE-2024-4971
6.4 - Medium
- May 22, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the id parameter in all versions up to, and including, 4.2.6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
XSS
LearnPress LMS Plugin <=4.2.6.5 Unauthenticated User Registration Bypass
CVE-2024-4444
5.3 - Medium
- May 14, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 4.2.6.5. This is due to missing checks in the 'create_account' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.
Unprotected Alternate Channel
LearnPress <=4.2.6.5 SQLi via term_id unauth time-based injection
CVE-2024-4434
9.8 - Critical
- May 14, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the term_id parameter in versions up to, and including, 4.2.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
SQL Injection
LearnPress <4.2.6.5: Arbitrary File Upload via Missing Validation
CVE-2024-4397
8.8 - High
- May 14, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_post_materials' function in versions up to, and including, 4.2.6.5. This makes it possible for authenticated attackers, with Instructor-level permissions and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Unrestricted File Upload
LearnPress 4.2.6.5 XSS via layout_html Stored in WP LMS
CVE-2024-4277
6.4 - Medium
- May 14, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the layout_html parameter in all versions up to, and including, 4.2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
Stored XSS in LearnPress LMS 4.2.6.4 via _id param
CVE-2024-3560
6.4 - Medium
- April 19, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _id value in all versions up to, and including, 4.2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
LearnPress Plugin 4.2.6.3 XSS via Course Titles Authenticated LP Instructor
CVE-2024-1463
4.4 - Medium
- April 09, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Course, Lesson, and Quiz title and content in all versions up to, and including, 4.2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with LP Instructor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
LearnPress <=4.2.6.3 IDOR via order lookup
CVE-2024-1289
6.5 - Medium
- April 09, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.6.3 due to missing validation on a user controlled key when looking up order information. This makes it possible for authenticated attackers to obtain information on orders placed by other users and guests, which can be leveraged to sign up for paid courses that were purchased by guests. Emails of other users are also exposed.
AuthZ
CVE-2024-2115: CSRF via filter_users in LearnPress WP LMS Plugin <=4.0.0
CVE-2024-2115
8.8 - High
- April 05, 2024
The LearnPress WordPress LMS Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.0. This is due to missing or incorrect nonce validation on the filter_users functions. This makes it possible for unauthenticated attackers to elevate their privileges to that of a teacher via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Session Riding
LearnPress WP Plugin 4.2.5.5 Reflected XSS
CVE-2023-5558
6.1 - Medium
- January 16, 2024
The LearnPress WordPress plugin before 4.2.5.5 does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
XSS
LearnPress WP Plugin <4.2.5.7: Command Injection via get_content (RCE)
CVE-2023-6634
8.1 - High
- January 11, 2024
The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.
Argument Injection
LearnPress <=4.2.5.7 Time-based SQLi via order_by
CVE-2023-6567
9.8 - Critical
- January 11, 2024
The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the order_by parameter in all versions up to, and including, 4.2.5.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
SQL Injection
LearnPress WP Plugin IDOR via JSON API (<4.2.5.7)
CVE-2023-6223
4.3 - Medium
- January 11, 2024
The LearnPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.5.7 via the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve the details of another user's course progress.
Insecure Direct Object Reference / IDOR
ThimPress LearnPress Export Import <=4.0.2 Reflected XSS (Unauth)
CVE-2023-30487
6.1 - Medium
- May 18, 2023
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ThimPress LearnPress Export Import plugin <= 4.0.2 versions.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Thimpress Learnpress or by Thimpress? Click the Watch button to subscribe.
