Skip to content
Threat Feed
high advisory

Sensitive Information Exposure in LearnPress WordPress Plugin (CVE-2026-13765)

An unauthenticated sensitive information exposure vulnerability (CVE-2026-13765) in the LearnPress - WordPress LMS Plugin for Create and Sell Online Courses, versions up to 4.4.1, allows attackers to extract quiz answers, options, explanations, and question content, including for paid courses.

A critical sensitive information exposure vulnerability, identified as CVE-2026-13765, exists in the LearnPress - WordPress LMS Plugin for Create and Sell Online Courses, affecting all versions up to and including 4.4.1. This flaw, present in the check_answer functionality, allows unauthenticated attackers to bypass authorization controls and extract highly sensitive information. This includes correct answer markers, full option lists, detailed explanations, and the content of any quiz question hosted on the site. The impact extends to questions belonging to paid courses, enabling attackers to obtain valuable educational content without enrollment or payment. The vulnerability stems from missing authorization checks (CWE-862) within the plugin's code, enabling a direct attack against web applications utilizing the plugin.

Attack Chain

  1. An unauthenticated attacker identifies a WordPress website running the vulnerable LearnPress plugin.
  2. The attacker crafts an HTTP GET or POST request targeting a LearnPress endpoint associated with quiz functionality, specifically invoking the check_answer logic.
  3. The malicious request includes parameters identifying a specific quiz and question, such as quiz_id and question_id.
  4. Due to a missing authorization check, the LearnPress plugin processes the request without verifying the attacker's authentication or enrollment status for the course.
  5. The vulnerable check_answer function executes and, instead of merely validating an answer, inadvertently retrieves and exposes sensitive details about the question and its solution.
  6. The web server returns an HTTP 200 OK response containing the quiz question's correct answer, the complete list of options, the explanation, and the question content.
  7. The attacker parses the response to successfully extract the sensitive educational content, including details from paid courses they are not enrolled in.

Impact

Successful exploitation of CVE-2026-13765 leads to a significant compromise of intellectual property and the integrity of online educational content. Attackers can obtain full quiz solutions, including correct answers, alternative options, and detailed explanations, for any quiz on the platform. This bypasses paywalls and enrollment requirements for paid courses, effectively devaluing the educational offerings and potentially leading to lost revenue for course creators and organizations. The exposure also allows malicious actors to distribute answers, facilitating cheating, and undermining the academic integrity of institutions relying on the LearnPress plugin.

Recommendation

  • Patch CVE-2026-13765 immediately by updating the LearnPress plugin to version 4.4.2 or higher.
  • Deploy the Detects CVE-2026-13765 Exploitation - LearnPress Information Exposure Attempt Sigma rule to your SIEM and monitor webserver logs for suspicious access patterns to LearnPress quiz-related endpoints.
  • Enable comprehensive web server logging for HTTP requests, including URI stems and query parameters, to facilitate detection and investigation of exploitation attempts.

Detection coverage 1

Detects CVE-2026-13765 Exploitation - LearnPress Information Exposure Attempt

high

Detects attempts to exploit CVE-2026-13765 by accessing LearnPress quiz answer checking functionalities without proper authorization, leading to sensitive information exposure.

sigma tactics: collection techniques: T1213 sources: webserver

Detection queries are available on the platform. Get full rules →