CVE-2024-11868: CWE-284 Improper Access Control in thimpress LearnPress – WordPress LMS Plugin
CVE-2024-11868 is a medium severity vulnerability in the LearnPress WordPress LMS plugin, affecting all versions up to 4. 2. 7. 3. It arises from improper access control (CWE-284) in the class-lp-rest-material-controller. php component, allowing unauthenticated attackers to access sensitive paid course materials. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. While it does not impact integrity or availability, it exposes confidential content, potentially undermining course providers' revenue and intellectual property. No known exploits are currently reported in the wild. Organizations using LearnPress for e-learning should prioritize patching or applying access restrictions to mitigate this risk.
AI Analysis
Technical Summary
CVE-2024-11868 is a vulnerability identified in the LearnPress plugin for WordPress, a widely used Learning Management System (LMS) plugin. The issue stems from improper access control (CWE-284) in the REST API endpoint implemented in class-lp-rest-material-controller.php. Specifically, the plugin fails to adequately restrict access to paid course materials, allowing unauthenticated attackers to retrieve sensitive content intended only for paying users. This exposure occurs because the REST controller does not enforce authentication or authorization checks before serving course materials. The vulnerability affects all versions up to and including 4.2.7.3. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality impact (C:L). There is no impact on integrity or availability. No patches or fixes are currently linked, and no active exploitation has been reported. However, the exposure of paid content can lead to revenue loss and intellectual property theft for course providers using the plugin.
Potential Impact
The primary impact of this vulnerability is the unauthorized disclosure of paid course materials, which can lead to significant financial losses for educational content creators and organizations relying on LearnPress for monetized e-learning. Confidentiality is compromised as sensitive instructional content is exposed without authentication. While the vulnerability does not affect data integrity or system availability, the leakage of proprietary educational content can damage brand reputation and reduce customer trust. Additionally, widespread exploitation could undermine the business model of LMS providers using this plugin. Since the vulnerability is exploitable remotely without authentication or user interaction, the attack surface is broad, potentially affecting any publicly accessible WordPress site running vulnerable versions of LearnPress. This risk is heightened for organizations with valuable or exclusive course content.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately upgrade LearnPress to a patched version once available from the vendor. In the absence of an official patch, administrators should implement strict access controls on REST API endpoints, restricting access to authenticated and authorized users only. This can be achieved by customizing the plugin code to enforce authentication checks in class-lp-rest-material-controller.php or by using WordPress security plugins that limit REST API access. Additionally, monitoring web server logs for unusual access patterns to course material endpoints can help detect exploitation attempts. Organizations should also review and tighten permissions for user roles within WordPress to minimize unauthorized data exposure. Regular backups and security audits of LMS installations are recommended to ensure integrity and timely detection of vulnerabilities.
Affected Countries
United States, India, United Kingdom, Canada, Australia, Germany, France, Brazil, Japan, South Korea
CVE-2024-11868: CWE-284 Improper Access Control in thimpress LearnPress – WordPress LMS Plugin
Description
CVE-2024-11868 is a medium severity vulnerability in the LearnPress WordPress LMS plugin, affecting all versions up to 4. 2. 7. 3. It arises from improper access control (CWE-284) in the class-lp-rest-material-controller. php component, allowing unauthenticated attackers to access sensitive paid course materials. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. While it does not impact integrity or availability, it exposes confidential content, potentially undermining course providers' revenue and intellectual property. No known exploits are currently reported in the wild. Organizations using LearnPress for e-learning should prioritize patching or applying access restrictions to mitigate this risk.
AI-Powered Analysis
Technical Analysis
CVE-2024-11868 is a vulnerability identified in the LearnPress plugin for WordPress, a widely used Learning Management System (LMS) plugin. The issue stems from improper access control (CWE-284) in the REST API endpoint implemented in class-lp-rest-material-controller.php. Specifically, the plugin fails to adequately restrict access to paid course materials, allowing unauthenticated attackers to retrieve sensitive content intended only for paying users. This exposure occurs because the REST controller does not enforce authentication or authorization checks before serving course materials. The vulnerability affects all versions up to and including 4.2.7.3. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality impact (C:L). There is no impact on integrity or availability. No patches or fixes are currently linked, and no active exploitation has been reported. However, the exposure of paid content can lead to revenue loss and intellectual property theft for course providers using the plugin.
Potential Impact
The primary impact of this vulnerability is the unauthorized disclosure of paid course materials, which can lead to significant financial losses for educational content creators and organizations relying on LearnPress for monetized e-learning. Confidentiality is compromised as sensitive instructional content is exposed without authentication. While the vulnerability does not affect data integrity or system availability, the leakage of proprietary educational content can damage brand reputation and reduce customer trust. Additionally, widespread exploitation could undermine the business model of LMS providers using this plugin. Since the vulnerability is exploitable remotely without authentication or user interaction, the attack surface is broad, potentially affecting any publicly accessible WordPress site running vulnerable versions of LearnPress. This risk is heightened for organizations with valuable or exclusive course content.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately upgrade LearnPress to a patched version once available from the vendor. In the absence of an official patch, administrators should implement strict access controls on REST API endpoints, restricting access to authenticated and authorized users only. This can be achieved by customizing the plugin code to enforce authentication checks in class-lp-rest-material-controller.php or by using WordPress security plugins that limit REST API access. Additionally, monitoring web server logs for unusual access patterns to course material endpoints can help detect exploitation attempts. Organizations should also review and tighten permissions for user roles within WordPress to minimize unauthorized data exposure. Regular backups and security audits of LMS installations are recommended to ensure integrity and timely detection of vulnerabilities.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-11-27T15:10:11.982Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e23b7ef31ef0b5968e8
Added to database: 2/25/2026, 9:48:19 PM
Last enriched: 2/26/2026, 8:00:44 AM
Last updated: 2/26/2026, 9:31:10 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-28138: Deserialization of Untrusted Data in Stylemix uListing
HighCVE-2026-28136: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in VeronaLabs WP SMS
HighCVE-2026-28132: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in villatheme WooCommerce Photo Reviews
HighCVE-2026-28131: Insertion of Sensitive Information Into Sent Data in WPVibes Elementor Addon Elements
HighCVE-2026-28083: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in UX-themes Flatsome
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.