CVE-2026-8383
published 2026-06-17CVE-2026-8383: LearnPress < 4.3.7 - Unauthenticated Sensitive User Information Disclosure via REST API The LearnPress WordPress plugin before 4.3.7 does not gate the `edit`…
medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
0.42%
34.0th percentile
LearnPress < 4.3.7 - Unauthenticated Sensitive User Information Disclosure via REST API
The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
LearnPress Plugin up to 4.3.6 on WordPress REST Endpoint authorization (EUVD-2026-37558)
vuldb·2026-06-18
CVE-2026-8383 [CRITICAL] LearnPress Plugin up to 4.3.6 on WordPress REST Endpoint authorization (EUVD-2026-37558)
A vulnerability classified as critical was found in LearnPress Plugin up to 4.3.6 on WordPress. The impacted element is an unknown function of the component REST Endpoint. Such manipulation leads to missing authorization.
This vulnerability is referenced as CVE-2026-8383. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is advised.
GHSA
The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each return
ghsa_unreviewed·2026-06-17
CVE-2026-8383 [MEDIUM] CWE-862 The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each return
The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request
CVEList
LearnPress < 4.3.7 - Unauthenticated Sensitive User Information Disclosure via REST API
cvelistv5·2026-06-17·CVSS 5.3
CVE-2026-8383 [MEDIUM] CWE-862 LearnPress < 4.3.7 - Unauthenticated Sensitive User Information Disclosure via REST API
LearnPress < 4.3.7 - Unauthenticated Sensitive User Information Disclosure via REST API
The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-17
Published