{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3225", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-25T19:03:11.576Z", "datePublished": "2026-03-23T22:25:40.557Z", "dateUpdated": "2026-03-25T19:19:17.537Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-23T22:25:40.557Z"}, "affected": [{"vendor": "thimpress", "product": "LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "4.3.2.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized deletion of quiz question answers due to a missing capability check in the delete_question_answer() function of the EditQuestionAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check, and the QuestionAnswerModel::delete() method only validates minimum answer counts without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete answer options from any quiz question on the site."}], "title": "LearnPress <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Answer Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc4afb78-fca6-4cc2-8e64-4785d93055e6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.7/inc/Ajax/EditQuestionAjax.php#L284"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.7/inc/Models/Question/QuestionAnswerModel.php#L243"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.7/inc/Ajax/AbstractAjax.php#L17"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/learnpress/tags/4.3.2.8&new_path=/learnpress/tags/4.3.3"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jack Pas"}], "timeline": [{"time": "2026-02-25T19:18:22.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-23T09:53:24.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:19:01.341682Z", "id": "CVE-2026-3225", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:19:17.537Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3225", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T19:19:01.341682Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:19:10.360Z"}}], "cna": {"title": "LearnPress <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Answer Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Jack Pas"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "thimpress", "product": "LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.3.2.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-25T19:18:22.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-23T09:53:24.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc4afb78-fca6-4cc2-8e64-4785d93055e6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.7/inc/Ajax/EditQuestionAjax.php#L284"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.7/inc/Models/Question/QuestionAnswerModel.php#L243"}, {"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.7/inc/Ajax/AbstractAjax.php#L17"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/learnpress/tags/4.3.2.8&new_path=/learnpress/tags/4.3.3"}], "descriptions": [{"lang": "en", "value": "The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized deletion of quiz question answers due to a missing capability check in the delete_question_answer() function of the EditQuestionAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check, and the QuestionAnswerModel::delete() method only validates minimum answer counts without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete answer options from any quiz question on the site."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-23T22:25:40.557Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3225", "state": "PUBLISHED", "dateUpdated": "2026-03-25T19:19:17.537Z", "dateReserved": "2026-02-25T19:03:11.576Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-23T22:25:40.557Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized deletion of quiz question answers due to a missing capability check in the delete_question_answer() function of the EditQuestionAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check, and the QuestionAnswerModel::delete() method only validates minimum answer counts without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete answer options from any quiz question on the site."}], "id": "CVE-2026-3225", "lastModified": "2026-03-24T15:53:48.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-23T23:17:13.047", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.7/inc/Ajax/AbstractAjax.php#L17"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.7/inc/Ajax/EditQuestionAjax.php#L284"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.7/inc/Models/Question/QuestionAnswerModel.php#L243"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=/learnpress/tags/4.3.2.8&new_path=/learnpress/tags/4.3.3"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc4afb78-fca6-4cc2-8e64-4785d93055e6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.3.2.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses", "source": "cna", "vendor": "thimpress"}, "product": "learnpress_\u2013_wordpress_lms_plugin_for_create_and_sell_online_courses", "vendor": "thimpress"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-24T03:43:37.695012+00:00", "value": {"mitigation_remediation": ["Update the LearnPress plugin to version 4.3.3 or later", "If an update cannot be performed immediately, restrict Subscriber and higher user roles from executing any quiz modification actions or remove the plugin until it can be patched", "Monitor site logs for unexpected quiz answer deletions and review user activity", "Consider implementing additional role\u2011based access controls to limit quiz management to administrators only"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Deletion of Quiz Question Answers"}, "threat_synthesis": {"affected_systems": "The affected product is the LearnPress \u2013 WordPress LMS Plugin developed by thimpress. All releases up to and including version 4.3.2.8 are impacted. No other product variants or versions are listed as affected.", "description_and_impact": "The vulnerability arises from a missing capability check in the delete_question_answer() function of the EditQuestionAjax class. This flaw allows any authenticated user with a Subscriber role or higher to delete answer options from any quiz question. The consequence is a direct compromise of data integrity for course content, potentially disrupting the learning experience and undermining trust in the platform. The weakness is a classic case of missing authorization (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires only that the attacker be authenticated; any user with Subscriber-level access or higher can trigger the deletion. Because the attack vector is authenticated, the likelihood of exploitation depends on the site\u2019s user base and role distribution, but the impact remains significant if attackers obtain legitimate credentials. The overall risk can be considered moderate to high for sites that rely heavily on accurate quiz data."}}}}, "created": "2026-03-24T10:30:05.092540+00:00", "updated": "2026-03-25T20:36:12.750161+00:00", "vendors": ["thimpress", "thimpress$PRODUCT$learnpress_\u2013_wordpress_lms_plugin_for_create_and_sell_online_courses", "wordpress", "wordpress$PRODUCT$wordpress"]}