Sensitive Information Exposure in LearnPress LMS Plugin for WordPress
CVE-2026-8502
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 6 June 2026
What is CVE-2026-8502?
The LearnPress plugin for WordPress, used for creating and selling online courses, is susceptible to a sensitive information exposure vulnerability. This issue allows unauthenticated users to extract sensitive data through the 'return_type' parameter. Attackers can obtain plaintext post passwords for password-protected courses and access full details of unpublished drafts, including post content and metadata. The exploitation of this vulnerability is facilitated by sending a specific request to the /wp-json/lp/v1/courses/archive-course endpoint, demanding both c_status=all and return_type=json to bypass the site's security measures.
Affected Version(s)
LearnPress β WordPress LMS Plugin for Create and Sell Online Courses 0 <= 4.3.6