Insecure Direct Object Reference in LearnPress Plugin for WordPress
CVE-2026-11988
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-11988?
The LearnPress plugin for WordPress, which facilitates online courses, contains a vulnerability that allows authenticated users with subscriber access or higher to exploit an Insecure Direct Object Reference through the 'userId' parameter. This lack of proper validation enables them to view enrollment progress and completion data intended for instructors or administrators. Regular subscribers remain unaffected due to existing access controls, but users designated as instructors (LP_TEACHER_ROLE) or administrators are at risk of exposure. It is crucial for site administrators to review and apply necessary security updates to mitigate this risk.
Affected Version(s)
LearnPress β WordPress LMS Plugin for Create and Sell Online Courses 0 <= 4.3.9.1