Thimpress Learnpress vulnerabilities
51 known vulnerabilities affecting thimpress/learnpress.
Total CVEs
51
CISA KEV
0
Public exploits
13
Exploited in wild
8
Severity breakdown
CRITICAL6HIGH15MEDIUM30
Vulnerabilities
Page 3 of 3
CVE-2024-3560P4MEDIUMCVSS 5.4fixed in 4.2.6.52024-04-19
CVE-2024-3560 [MEDIUM] CWE-79 CVE-2024-3560: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Script
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _id value in all versions up to, and including, 4.2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to in
nvd
CVE-2024-4971P4MEDIUMCVSS 5.4fixed in 4.2.6.72024-05-22
CVE-2024-4971 [MEDIUM] CWE-79 CVE-2024-4971: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scr
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.2.6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can
nvd
CVE-2023-6223P4MEDIUMCVSS 4.3≤ 4.2.5.72024-01-11
CVE-2023-6223 [MEDIUM] CWE-639 CVE-2023-6223: The LearnPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all version
The LearnPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.5.7 via the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve the
nvd
CVE-2018-16174P4MEDIUMCVSS 6.1fixed in 3.1.0vprior to version 3.1.02019-01-09
CVE-2018-16174 [MEDIUM] CWE-601 CVE-2018-16174: Open redirect vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to redirect
Open redirect vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
nvd
CVE-2024-13128P4MEDIUMCVSS 4.8fixed in 4.2.7.5.12025-05-15
CVE-2024-13128 [MEDIUM] CWE-79 CVE-2024-13128: The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings,
The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
nvd
CVE-2021-24702P4MEDIUMCVSS 4.8fixed in 4.1.3.12021-10-18
CVE-2021-24702 [MEDIUM] CWE-79 CVE-2021-24702: The LearnPress WordPress plugin before 4.1.3.1 does not properly sanitize or escape various inputs w
The LearnPress WordPress plugin before 4.1.3.1 does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltred_html capability is disallowed
nvd
CVE-2024-10010P4MEDIUMCVSS 4.8fixed in 4.2.7.22024-12-12
CVE-2024-10010 [MEDIUM] CWE-79 CVE-2024-10010: The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, w
The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
nvd
CVE-2024-9881P4MEDIUMCVSS 4.8fixed in 4.2.7.22024-12-12
CVE-2024-9881 [MEDIUM] CWE-79 CVE-2024-9881: The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, w
The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
nvd
CVE-2024-13127P4MEDIUMCVSS 4.8fixed in 4.2.7.5.12025-05-15
CVE-2024-13127 [MEDIUM] CWE-79 CVE-2024-13127: The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings,
The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
nvd
CVE-2025-24740P4MEDIUMCVSS 4.7≤ 4.2.7.12025-01-27
CVE-2025-24740 [MEDIUM] CWE-601 CVE-2025-24740: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in ThimPress LearnPress learnpress
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in ThimPress LearnPress learnpress.This issue affects LearnPress: from n/a through <= 4.2.7.1.
nvd
CVE-2024-1463P4MEDIUMCVSS 4.8fixed in 4.2.6.42024-04-09
CVE-2024-1463 [MEDIUM] CWE-79 CVE-2024-1463: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Script
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Course, Lesson, and Quiz title and content in all versions up to, and including, 4.2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with LP Instructor-level access, to injec
nvd
← Previous3 / 3