Attack Vectors

CVE-2026-3226 affects the LearnPress – WordPress LMS Plugin for Create and Sell Online Courses (slug: learnpress) in versions 4.3.2.8 and below. This is a Medium severity issue (CVSS 4.3) that can be exploited by an authenticated user with Subscriber-level access or higher.

The core problem is that LearnPress uses an AJAX dispatcher (AbstractAjax::catch_lp_ajax()) that verifies a wp_rest nonce but does not enforce an authorization check (current_user_can()) before it routes requests to email-related handlers. Because the wp_rest nonce is embedded in frontend JavaScript for authenticated users, a low-privileged account can use it to call email-notification endpoints that should be restricted.

In practical terms, any user who can log in (including basic subscribers, students, or trial accounts) may be able to trigger LearnPress email notifications on demand by invoking functions in the SendEmailAjax class.

Security Weakness

The vulnerability is caused by missing authorization (capability) checks across all 10 functions in the SendEmailAjax class in affected versions. While a nonce helps reduce cross-site request forgery risk, it is not a replacement for permission checks—especially when that nonce is available to any authenticated session.

This weakness is categorized as a Missing Authorization flaw: the system confirms that the request looks “valid” (nonce present) but fails to confirm the user is allowed to perform the action (no role/capability enforcement).

Technical or Business Impacts

Although the CVSS impact is rated Medium and does not indicate direct data theft, the business risk can still be meaningful for organizations running training, customer education, or paid course operations on WordPress.

Potential impacts include:

Email abuse and brand damage: Unauthorized triggering of email notifications can lead to unexpected or confusing emails being sent from your domain. This can erode trust with learners/customers and create support overhead.

Deliverability and compliance risk: Increased or abnormal notification volume may harm sender reputation and email deliverability. Depending on your notification content and audience, it can also complicate compliance obligations (for example, complaints, unsubscribe handling, and communications governance).

Operational disruption: Even without “hacking” outcomes like data extraction, the ability for low-privileged users to trigger email workflows can create noise for marketing and support teams and disrupt course operations.

Remediation: Update LearnPress to version 4.3.3 or newer (patched). After updating, review user roles (especially Subscriber/student roles), ensure only necessary accounts exist, and monitor outbound email volumes for anomalies.

Similar attacks (real-world examples): Authorization gaps and low-privilege abuse are common patterns in WordPress plugin vulnerabilities. Examples include CVE-2023-27372 (WP User Frontend Pro – privilege/authorization issues reported in the ecosystem) and CVE-2023-3460 (WordPress plugin authorization weakness pattern), where missing capability checks enable actions that should be admin-only.