{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/learnpress/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-4365"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","learnpress","data-deletion","unauthorized-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe LearnPress plugin for WordPress, in versions up to and including 4.3.2.8, is susceptible to unauthorized data deletion. The vulnerability stems from a missing capability check on the \u003ccode\u003edelete_question_answer()\u003c/code\u003e function. The plugin exposes a \u003ccode\u003ewp_rest\u003c/code\u003e nonce in public frontend HTML, and this nonce serves as the sole security check for the \u003ccode\u003elp-load-ajax\u003c/code\u003e AJAX dispatcher. As the \u003ccode\u003edelete_question_answer\u003c/code\u003e action lacks capability or ownership validation, unauthenticated attackers can exploit this flaw to delete arbitrary quiz answer options. This is achieved by sending a crafted POST request containing a publicly available nonce. Exploitation does not require any prior authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a LearnPress installation with a vulnerable version (\u0026lt;= 4.3.2.8).\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the public frontend of the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the \u003ccode\u003ewp_rest\u003c/code\u003e nonce from the \u003ccode\u003elpData\u003c/code\u003e variable in the HTML source code. This nonce is used for AJAX requests.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted POST request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003edelete_question_answer\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request also includes the \u003ccode\u003enonce\u003c/code\u003e parameter with the value of the retrieved \u003ccode\u003ewp_rest\u003c/code\u003e nonce.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eanswer_id\u003c/code\u003e parameter set to the ID of the quiz answer option to be deleted.\u003c/li\u003e\n\u003cli\u003eThe server, lacking proper capability checks, processes the request and deletes the specified quiz answer option from the database. This results in data loss and potentially disrupts the functionality of quizzes within the LearnPress plugin.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthenticated attackers to arbitrarily delete quiz answer options within the LearnPress plugin. This can lead to data loss, disruption of quizzes, and potentially compromise the integrity of educational content. The CVSS v3.1 base score for this vulnerability is 9.1, indicating a critical severity. The number of victims and specific sectors targeted are currently unknown, but any website using the vulnerable LearnPress plugin is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the LearnPress plugin to a version greater than 4.3.2.8 to patch CVE-2026-4365.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LearnPress Unauthorized Data Deletion Attempt\u0026rdquo; to your SIEM to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003edelete_question_answer\u003c/code\u003e and investigate suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T02:16:57Z","date_published":"2026-04-14T02:16:57Z","id":"/briefs/2026-04-learnpress-data-deletion/","summary":"The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function, allowing unauthenticated attackers to delete quiz answer options.","title":"LearnPress WordPress Plugin Unauthorized Data Deletion Vulnerability (CVE-2026-4365)","url":"https://feed.craftedsignal.io/briefs/2026-04-learnpress-data-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Learnpress","version":"https://jsonfeed.org/version/1.1"}