The vulnerability identified as CVE-2026-3225 affects the LearnPress – WordPress LMS Plugin, a widely used plugin for creating and selling online courses on WordPress sites. The issue stems from a missing authorization check (CWE-862) in the delete_question_answer() function within the EditQuestionAjax class. Although the plugin verifies a valid wp_rest nonce via the AbstractAjax::catch_lp_ajax() dispatcher, it fails to perform a current_user_can() capability check before allowing deletion of quiz question answers. Additionally, the QuestionAnswerModel::delete() method only enforces minimum answer counts but does not validate user permissions. Consequently, any authenticated user with Subscriber-level access or higher can delete answer options from any quiz question on the site, leading to unauthorized modification of course content. This vulnerability affects all versions up to and including 4.3.2.8. The CVSS v3.1 base score is 4.3 (medium), reflecting the ease of exploitation (network attack vector, low attack complexity, privileges required, no user interaction) and the limited impact on integrity without affecting confidentiality or availability. No known exploits have been reported in the wild, and no official patches are currently available. The flaw primarily threatens the integrity of quiz data, potentially undermining the reliability of assessments and course quality.

The primary impact of this vulnerability is on the integrity of online course content managed via the LearnPress plugin. Unauthorized deletion of quiz answers can disrupt assessments, degrade the learning experience, and potentially cause loss of trust in the educational platform. While confidentiality and availability remain unaffected, the ability for low-privileged users to alter quiz content could be exploited for sabotage or to manipulate course outcomes. Organizations relying on LearnPress for e-learning, certification, or training may face reputational damage and operational disruption. The scope includes any WordPress site using vulnerable versions of LearnPress, which could be significant given the plugin's popularity in the online education sector. Although no exploits are known in the wild, the vulnerability's low complexity and network accessibility make it a credible risk if weaponized.

To mitigate this vulnerability, organizations should immediately audit user roles and permissions within WordPress, ensuring that only trusted users have Subscriber-level or higher access. Restricting user registrations and enforcing strict role assignments can reduce the attack surface. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting the delete_question_answer() endpoint may provide temporary protection. Site administrators should monitor plugin updates closely and apply patches as soon as they are released by the vendor. In the absence of official patches, consider temporarily disabling quiz answer editing features or replacing LearnPress with alternative LMS plugins that enforce proper authorization checks. Additionally, regular backups of course data will facilitate recovery in case of unauthorized modifications. Security teams should also review logs for unusual deletion activity and alert on anomalous behavior related to quiz content management.