https://feed.craftedsignal.io/tags/data-deletion/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 14 Apr 2026 02:16:57 +0000https://feed.craftedsignal.io/briefs/2026-04-learnpress-data-deletion/Tue, 14 Apr 2026 02:16:57 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-learnpress-data-deletion/The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function, allowing unauthenticated attackers to delete quiz answer options.The LearnPress plugin for WordPress, in versions up to and including 4.3.2.8, is susceptible to unauthorized data deletion. The vulnerability stems from a missing capability check on the delete_question_answer() function. The plugin exposes a wp_rest nonce in public frontend HTML, and this nonce serves as the sole security check for the lp-load-ajax AJAX dispatcher. As the delete_question_answer action lacks capability or ownership validation, unauthenticated attackers can exploit this flaw to delete arbitrary quiz answer options. This is achieved by sending a crafted POST request containing a publicly available nonce. Exploitation does not require any prior authentication.

Attack Chain

1. An unauthenticated attacker identifies a LearnPress installation with a vulnerable version (<= 4.3.2.8).
2. The attacker accesses the public frontend of the WordPress site.
3. The attacker retrieves the wp_rest nonce from the lpData variable in the HTML source code. This nonce is used for AJAX requests.
4. The attacker crafts a POST request to the wp-admin/admin-ajax.php endpoint.
5. The crafted POST request includes the action parameter set to delete_question_answer.
6. The request also includes the nonce parameter with the value of the retrieved wp_rest nonce.
7. The request includes the answer_id parameter set to the ID of the quiz answer option to be deleted.
8. The server, lacking proper capability checks, processes the request and deletes the specified quiz answer option from the database. This results in data loss and potentially disrupts the functionality of quizzes within the LearnPress plugin.

Impact

Successful exploitation allows unauthenticated attackers to arbitrarily delete quiz answer options within the LearnPress plugin. This can lead to data loss, disruption of quizzes, and potentially compromise the integrity of educational content. The CVSS v3.1 base score for this vulnerability is 9.1, indicating a critical severity. The number of victims and specific sectors targeted are currently unknown, but any website using the vulnerable LearnPress plugin is at risk.

Recommendation

• Upgrade the LearnPress plugin to a version greater than 4.3.2.8 to patch CVE-2026-4365.
• Deploy the Sigma rule “Detect LearnPress Unauthorized Data Deletion Attempt” to your SIEM to identify potential exploitation attempts.
• Monitor web server logs for POST requests to wp-admin/admin-ajax.php with the action parameter set to delete_question_answer and investigate suspicious activity.

]]>criticaladvisorywordpresspluginlearnpressdata-deletionunauthorized-accesshttps://feed.craftedsignal.io/briefs/2026-03-openemr-auth-bypass/Thu, 26 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-openemr-auth-bypass/OpenEMR versions before 8.0.0.3 contain a missing authorization vulnerability in the AJAX deletion endpoint that allows any authenticated user to delete patient data.OpenEMR, a widely used open-source electronic health records and medical practice management application, is vulnerable to a significant authorization bypass. Specifically, versions prior to 8.0.0.3 lack proper authorization checks in the interface/forms/procedure_order/handle_deletions.php AJAX endpoint. This flaw enables any authenticated user, regardless of their assigned role or privileges, to delete procedure orders, patient answers, and specimen records associated with any patient within the OpenEMR system. This vulnerability poses a serious threat to data integrity and confidentiality. The vendor patched this vulnerability in version 8.0.0.3. Defenders should prioritize identifying and patching vulnerable systems.

Attack Chain

1. An attacker gains valid credentials to an OpenEMR instance, potentially through phishing, credential stuffing, or other means.
2. The attacker logs into the OpenEMR web application with their valid, but potentially low-privilege, account.
3. The attacker crafts a malicious AJAX request targeting the vulnerable endpoint: interface/forms/procedure_order/handle_deletions.php.
4. The crafted request specifies the IDs of procedure orders, answers, or specimens that the attacker wishes to delete, regardless of the associated patient.
5. Due to the missing authorization check, the OpenEMR application processes the deletion request without verifying the attacker’s permissions.
6. The specified patient data (procedure orders, answers, or specimens) is permanently deleted from the OpenEMR database.
7. The attacker can repeat this process to delete additional patient data, potentially causing significant disruption or data loss.

Impact

The missing authorization vulnerability in OpenEMR allows any authenticated user to delete sensitive patient data, including procedure orders, answers to medical questionnaires, and specimen records. Successful exploitation could lead to data loss, compliance violations (e.g., HIPAA), and disruption of medical practice operations. The precise number of potentially affected OpenEMR instances is unknown, but given the widespread use of OpenEMR in medical practices, the impact could be substantial.

Recommendation

• Upgrade all OpenEMR installations to version 8.0.0.3 or later to remediate CVE-2026-34053.
• Implement network monitoring for requests to interface/forms/procedure_order/handle_deletions.php and investigate any unusual activity.
• Deploy the Sigma rule to detect potential exploitation attempts by monitoring HTTP requests to the vulnerable endpoint.

]]>highadvisoryopenemrauthorization-bypassdata-deletion