Learnpress — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/learnpress/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 14 Apr 2026 02:16:57 +0000LearnPress WordPress Plugin Unauthorized Data Deletion Vulnerability (CVE-2026-4365)https://feed.craftedsignal.io/briefs/2026-04-learnpress-data-deletion/Tue, 14 Apr 2026 02:16:57 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-learnpress-data-deletion/The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function, allowing unauthenticated attackers to delete quiz answer options.The LearnPress plugin for WordPress, in versions up to and including 4.3.2.8, is susceptible to unauthorized data deletion. The vulnerability stems from a missing capability check on the delete_question_answer() function. The plugin exposes a wp_rest nonce in public frontend HTML, and this nonce serves as the sole security check for the lp-load-ajax AJAX dispatcher. As the delete_question_answer action lacks capability or ownership validation, unauthenticated attackers can exploit this flaw to delete arbitrary quiz answer options. This is achieved by sending a crafted POST request containing a publicly available nonce. Exploitation does not require any prior authentication.

Attack Chain

  1. An unauthenticated attacker identifies a LearnPress installation with a vulnerable version (<= 4.3.2.8).
  2. The attacker accesses the public frontend of the WordPress site.
  3. The attacker retrieves the wp_rest nonce from the lpData variable in the HTML source code. This nonce is used for AJAX requests.
  4. The attacker crafts a POST request to the wp-admin/admin-ajax.php endpoint.
  5. The crafted POST request includes the action parameter set to delete_question_answer.
  6. The request also includes the nonce parameter with the value of the retrieved wp_rest nonce.
  7. The request includes the answer_id parameter set to the ID of the quiz answer option to be deleted.
  8. The server, lacking proper capability checks, processes the request and deletes the specified quiz answer option from the database. This results in data loss and potentially disrupts the functionality of quizzes within the LearnPress plugin.

Impact

Successful exploitation allows unauthenticated attackers to arbitrarily delete quiz answer options within the LearnPress plugin. This can lead to data loss, disruption of quizzes, and potentially compromise the integrity of educational content. The CVSS v3.1 base score for this vulnerability is 9.1, indicating a critical severity. The number of victims and specific sectors targeted are currently unknown, but any website using the vulnerable LearnPress plugin is at risk.

Recommendation

  • Upgrade the LearnPress plugin to a version greater than 4.3.2.8 to patch CVE-2026-4365.
  • Deploy the Sigma rule “Detect LearnPress Unauthorized Data Deletion Attempt” to your SIEM to identify potential exploitation attempts.
  • Monitor web server logs for POST requests to wp-admin/admin-ajax.php with the action parameter set to delete_question_answer and investigate suspicious activity.
]]>criticaladvisorywordpresspluginlearnpressdata-deletionunauthorized-access