Unauthorized Data Deletion in LearnPress Plugin for WordPress
CVE-2026-4365

9.1CRITICAL

Key Information:

Vendor: WordPress
Status: Learnpress – WordPress Lms Plugin For Create And Sell Online Courses
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-4365?

The LearnPress plugin for WordPress has a vulnerability that allows unauthorized users to delete quiz answer options. This is due to the absence of a necessary capability check on the 'delete_question_answer()' function, affecting all versions through 4.3.2.8. The plugin inadvertently exposes a 'wp_rest' nonce in publicly accessible frontend HTML, which serves as the only barrier to the 'lp-load-ajax' AJAX dispatcher. Unsanctioned attackers can exploit this flaw by sending specially crafted POST requests using the publicly available nonce, leading to potential data loss and manipulation.

Affected Version(s)

LearnPress – WordPress LMS Plugin for Create and Sell Online Courses 0 <= 4.3.2.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/learnpress/tru...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Mar 17, 2026

Credit

Supakiad S.

CVE-2026-4365 Data

JSON