{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/data-deletion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-4365"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","learnpress","data-deletion","unauthorized-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe LearnPress plugin for WordPress, in versions up to and including 4.3.2.8, is susceptible to unauthorized data deletion. The vulnerability stems from a missing capability check on the \u003ccode\u003edelete_question_answer()\u003c/code\u003e function. The plugin exposes a \u003ccode\u003ewp_rest\u003c/code\u003e nonce in public frontend HTML, and this nonce serves as the sole security check for the \u003ccode\u003elp-load-ajax\u003c/code\u003e AJAX dispatcher. As the \u003ccode\u003edelete_question_answer\u003c/code\u003e action lacks capability or ownership validation, unauthenticated attackers can exploit this flaw to delete arbitrary quiz answer options. This is achieved by sending a crafted POST request containing a publicly available nonce. Exploitation does not require any prior authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a LearnPress installation with a vulnerable version (\u0026lt;= 4.3.2.8).\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the public frontend of the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the \u003ccode\u003ewp_rest\u003c/code\u003e nonce from the \u003ccode\u003elpData\u003c/code\u003e variable in the HTML source code. This nonce is used for AJAX requests.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted POST request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003edelete_question_answer\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request also includes the \u003ccode\u003enonce\u003c/code\u003e parameter with the value of the retrieved \u003ccode\u003ewp_rest\u003c/code\u003e nonce.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eanswer_id\u003c/code\u003e parameter set to the ID of the quiz answer option to be deleted.\u003c/li\u003e\n\u003cli\u003eThe server, lacking proper capability checks, processes the request and deletes the specified quiz answer option from the database. This results in data loss and potentially disrupts the functionality of quizzes within the LearnPress plugin.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthenticated attackers to arbitrarily delete quiz answer options within the LearnPress plugin. This can lead to data loss, disruption of quizzes, and potentially compromise the integrity of educational content. The CVSS v3.1 base score for this vulnerability is 9.1, indicating a critical severity. The number of victims and specific sectors targeted are currently unknown, but any website using the vulnerable LearnPress plugin is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the LearnPress plugin to a version greater than 4.3.2.8 to patch CVE-2026-4365.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LearnPress Unauthorized Data Deletion Attempt\u0026rdquo; to your SIEM to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003edelete_question_answer\u003c/code\u003e and investigate suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T02:16:57Z","date_published":"2026-04-14T02:16:57Z","id":"/briefs/2026-04-learnpress-data-deletion/","summary":"The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function, allowing unauthenticated attackers to delete quiz answer options.","title":"LearnPress WordPress Plugin Unauthorized Data Deletion Vulnerability (CVE-2026-4365)","url":"https://feed.craftedsignal.io/briefs/2026-04-learnpress-data-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openemr","authorization-bypass","data-deletion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenEMR, a widely used open-source electronic health records and medical practice management application, is vulnerable to a significant authorization bypass. Specifically, versions prior to 8.0.0.3 lack proper authorization checks in the \u003ccode\u003einterface/forms/procedure_order/handle_deletions.php\u003c/code\u003e AJAX endpoint. This flaw enables any authenticated user, regardless of their assigned role or privileges, to delete procedure orders, patient answers, and specimen records associated with any patient within the OpenEMR system. This vulnerability poses a serious threat to data integrity and confidentiality. The vendor patched this vulnerability in version 8.0.0.3. Defenders should prioritize identifying and patching vulnerable systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials to an OpenEMR instance, potentially through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the OpenEMR web application with their valid, but potentially low-privilege, account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request targeting the vulnerable endpoint: \u003ccode\u003einterface/forms/procedure_order/handle_deletions.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request specifies the IDs of procedure orders, answers, or specimens that the attacker wishes to delete, regardless of the associated patient.\u003c/li\u003e\n\u003cli\u003eDue to the missing authorization check, the OpenEMR application processes the deletion request without verifying the attacker\u0026rsquo;s permissions.\u003c/li\u003e\n\u003cli\u003eThe specified patient data (procedure orders, answers, or specimens) is permanently deleted from the OpenEMR database.\u003c/li\u003e\n\u003cli\u003eThe attacker can repeat this process to delete additional patient data, potentially causing significant disruption or data loss.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe missing authorization vulnerability in OpenEMR allows any authenticated user to delete sensitive patient data, including procedure orders, answers to medical questionnaires, and specimen records. Successful exploitation could lead to data loss, compliance violations (e.g., HIPAA), and disruption of medical practice operations. The precise number of potentially affected OpenEMR instances is unknown, but given the widespread use of OpenEMR in medical practices, the impact could be substantial.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all OpenEMR installations to version 8.0.0.3 or later to remediate CVE-2026-34053.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring for requests to \u003ccode\u003einterface/forms/procedure_order/handle_deletions.php\u003c/code\u003e and investigate any unusual activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential exploitation attempts by monitoring HTTP requests to the vulnerable endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-openemr-auth-bypass/","summary":"OpenEMR versions before 8.0.0.3 contain a missing authorization vulnerability in the AJAX deletion endpoint that allows any authenticated user to delete patient data.","title":"OpenEMR Missing Authorization Allows Unauthorized Data Deletion","url":"https://feed.craftedsignal.io/briefs/2026-03-openemr-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Data-Deletion","version":"https://jsonfeed.org/version/1.1"}