Attack Vectors

LearnPress – WordPress LMS Plugin for Create and Sell Online Courses (slug: learnpress) versions up to and including 4.3.2.8 are affected by CVE-2026-3225, a Medium severity issue (CVSS 4.3; CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

The primary attack scenario involves an authenticated user—including a basic Subscriber—who can trigger the quiz answer deletion behavior by reaching the plugin’s AJAX handling path where a nonce is checked but authorization is not enforced. In practical terms, this means any account that can log in (including low-privilege accounts created through marketing sign-ups, free course enrollments, partner portals, or community access) can become an entry point.

Because the vulnerability is reachable over the network and does not require user interaction beyond being logged in, organizations that allow self-registration or have large numbers of learners should consider the risk higher in real-world exposure than the “Medium” score may suggest.

Security Weakness

This issue is caused by missing authorization checks in the workflow that deletes quiz question answers. According to the advisory, the relevant deletion functionality is tied to the delete_question_answer() function, and while a REST/AJAX nonce is verified by the dispatcher, there is no equivalent capability check (no current_user_can() validation) to ensure the requester has an appropriate role (such as an instructor/admin) to delete quiz answers.

Additionally, the deletion logic described only enforces minimum answer-count validation and does not confirm that the requesting user is permitted to modify the quiz content. The end result is an authorization gap: legitimate authentication is present, but the system does not sufficiently restrict what authenticated users are allowed to do.

Technical or Business Impacts

The direct impact is unauthorized deletion of quiz question answers, which is primarily an integrity issue (consistent with the CVSS vector indicating I:L and no confidentiality impact). For a training, certification, or revenue-generating course business, this can create meaningful operational and reputational risk.

Business consequences may include:

• Course quality and learner trust erosion: Learners may encounter broken or incomplete quizzes, creating support tickets, refunds, and negative reviews that hurt conversion rates and brand perception.

• Compliance and audit concerns: If quizzes support regulated training (HR, safety, financial services, healthcare, etc.), altered assessments can undermine record reliability and raise questions during internal reviews or external audits.

• Operational disruption: Teams may need to restore content, troubleshoot quiz integrity, or rebuild assessments—pulling time away from marketing campaigns, product launches, and revenue-driving initiatives.

• Increased risk in high-volume environments: Organizations with many low-privilege accounts (students/learners) face greater exposure simply because there are more potential authenticated users who could intentionally abuse the flaw or inadvertently trigger destructive actions.

Remediation: Update LearnPress to version 4.3.3 or newer (patched). Reference: Wordfence vulnerability record and CVE-2026-3225.