CVE-2026-4365

Name of the Vulnerable Software and Affected Versions LearnPress plugin for WordPress versions up to 4.3.2.8

Description The plugin allows unauthorized data deletion because the delete question answer() function lacks a capability check. It exposes a wp rest nonce in the public frontend HTML (lpData) to unauthenticated visitors, which serves as the sole security measure for the 'lp-load-ajax' AJAX dispatcher. This allows unauthenticated attackers to delete quiz answer options by sending a crafted POST request.

Recommendations As a temporary workaround, consider disabling the delete question answer() function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.