cbcvebase.

Thimpress Learnpress vulnerabilities

51 known vulnerabilities affecting thimpress/learnpress.

Total CVEs
51
CISA KEV
0
Public exploits
13
Exploited in wild
8
Severity breakdown
CRITICAL6HIGH15MEDIUM30

Vulnerabilities

Page 2 of 3
CVE-2022-45820P3HIGHCVSS 8.8≤ 4.1.7.3.22023-01-26
CVE-2022-45820 [HIGH] CWE-89 CVE-2022-45820: SQL Injection (SQLi) vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions. SQL Injection (SQLi) vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.
nvd
CVE-2024-2115P3HIGHCVSS 8.8fixed in 4.0.12024-04-05
CVE-2024-2115 [HIGH] CWE-352 CVE-2024-2115: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Cross-Site Request Forge The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.0. This is due to missing or incorrect nonce validation on the filter_users functions. This makes it possible for unauthenticated attackers to elevate their privileges to that of a teacher via a forged request
nvd
CVE-2018-16175P3HIGHCVSS 7.2fixed in 3.1.0vprior to version 3.1.02019-01-09
CVE-2018-16175 [HIGH] CWE-89 CVE-2018-16175: SQL injection vulnerability in the LearnPress prior to version 3.1.0 allows attacker with administra SQL injection vulnerability in the LearnPress prior to version 3.1.0 allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2025-66054P3HIGHCVSS 7.5≤ 4.2.9.42025-12-18
CVE-2025-66054 [HIGH] CWE-862 CVE-2025-66054: Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through <= 4.2.9.4.
nvd
CVE-2024-7548P3MEDIUMCVSS 6.5fixed in 4.2.6.9.42024-08-08
CVE-2024-7548 [MEDIUM] CWE-89 CVE-2024-7548: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'order' parameter in all versions up to, and including, 4.2.6.9.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with
nvd
CVE-2024-4444P3MEDIUMCVSS 6.5fixed in 4.2.6.62024-05-14
CVE-2024-4444 [MEDIUM] CWE-420 CVE-2024-4444: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registrat The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 4.2.6.5. This is due to missing checks in the 'create_account' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disa
nvd
CVE-2024-39641P3HIGHCVSS 8.8fixed in 4.2.6.9≥ n/a, ≤ 4.2.6.8.22024-08-26
CVE-2024-39641 [HIGH] CWE-352 CVE-2024-39641: Cross-Site Request Forgery (CSRF) vulnerability in ThimPress LearnPress.This issue affects LearnPres Cross-Site Request Forgery (CSRF) vulnerability in ThimPress LearnPress.This issue affects LearnPress: from n/a through 4.2.6.8.2.
nvd
CVE-2020-7916P3MEDIUMCVSS 6.5≤ 3.2.6.52020-03-16
CVE-2020-7916 [MEDIUM] CWE-269 CVE-2020-7916: be_teacher in class-lp-admin-ajax.php in the LearnPress plugin 3.2.6.5 and earlier for WordPress all be_teacher in class-lp-admin-ajax.php in the LearnPress plugin 3.2.6.5 and earlier for WordPress allows any registered user to assign itself the teacher role via the wp-admin/admin-ajax.php?action=learnpress_be_teacher URI without any additional permission checks. Therefore, any user can change its role to an instructor/teacher and gain access to othe
nvd
CVE-2024-39642P4MEDIUMCVSS 6.5≥ n/a, ≤ 4.2.6.8.22024-08-13
CVE-2024-39642 [MEDIUM] CWE-639 CVE-2024-39642: Authorization Bypass Through User-Controlled Key vulnerability in ThimPress LearnPress allows Access Authorization Bypass Through User-Controlled Key vulnerability in ThimPress LearnPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LearnPress: from n/a through 4.2.6.8.2.
nvd
CVE-2024-6099P4MEDIUMCVSS 5.3fixed in 4.2.6.8.22024-07-02
CVE-2024-6099 [MEDIUM] CWE-420 CVE-2024-6099: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass t The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the 'check_validate_fields' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, eve
nvd
CVE-2024-6088P4MEDIUMCVSS 5.3fixed in 4.2.6.8.22024-07-02
CVE-2024-6088 [MEDIUM] CWE-862 CVE-2024-6088: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user regist The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to bypass disabled user registration to create a new account with the default role.
nvd
CVE-2025-67536P4MEDIUMCVSS 6.5≤ 4.2.9.42025-12-09
CVE-2025-67536 [MEDIUM] CWE-79 CVE-2025-67536: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress learnpress allows Stored XSS.This issue affects LearnPress: from n/a through <= 4.2.9.4.
nvd
CVE-2024-1289P4MEDIUMCVSS 5.4fixed in 4.2.6.42024-04-09
CVE-2024-1289 [MEDIUM] CWE-285 CVE-2024-1289: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Insecure Direct Object R The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.6.3 due to missing validation on a user controlled key when looking up order information. This makes it possible for authenticated attackers to obtain information on orders placed by other users and gue
nvd
CVE-2025-22739P4MEDIUMCVSS 5.3≤ 4.2.7.52025-03-27
CVE-2025-22739 [MEDIUM] CWE-862 CVE-2025-22739: Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through <= 4.2.7.5.
nvd
CVE-2026-48865P4HIGHCVSS 7.1≥ n/a, ≤ 4.3.62026-06-01
CVE-2026-48865 [HIGH] CWE-79 CVE-2026-48865: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress allows Reflected XSS. This issue affects LearnPress: from n/a through 4.3.6.
nvd
CVE-2021-39348P4MEDIUMCVSS 4.8≤ 4.1.3.12021-10-21
CVE-2021-39348 [MEDIUM] CVE-2021-39348: The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient esc The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.3.1. This affects multi-site insta
nvd
CVE-2024-4277P4MEDIUMCVSS 5.4fixed in 4.2.6.62024-05-14
CVE-2024-4277 [MEDIUM] CWE-79 CVE-2024-4277: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Script The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘layout_html’ parameter in all versions up to, and including, 4.2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary
nvd
CVE-2024-13599P4MEDIUMCVSS 5.4fixed in 4.2.7.5.12025-01-25
CVE-2024-13599 [MEDIUM] CWE-79 CVE-2024-13599: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Script The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.7.5 due to insufficient input sanitization and output escaping of a lesson name. This makes it possible for authenticated attackers, with LP Instructor-level access and above, to inject arbitrary web script
nvd
CVE-2018-16173P4MEDIUMCVSS 6.1fixed in 3.1.0vprior to version 3.1.02019-01-09
CVE-2018-16173 [MEDIUM] CWE-79 CVE-2018-16173: Cross-site scripting vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to i Cross-site scripting vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2023-30487P4MEDIUMCVSS 6.1≤ 4.0.22023-05-18
CVE-2023-30487 [MEDIUM] CWE-79 CVE-2023-30487: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ThimPress LearnPress Export Import plu Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ThimPress LearnPress Export Import plugin <= 4.0.2 versions.
nvd
Thimpress Learnpress vulnerabilities | cvebase