CVE-2026-3226 is a missing authorization vulnerability (CWE-862) in the LearnPress – WordPress LMS Plugin, widely used for creating and selling online courses. The vulnerability exists because the plugin's SendEmailAjax class functions lack proper capability checks (current_user_can()) before executing email notification actions. Although the AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce embedded in frontend JavaScript, this nonce is accessible to all authenticated users, including those with minimal privileges such as Subscribers. Consequently, any authenticated user can invoke these functions to send arbitrary email notifications to administrators, instructors, and other users. This can lead to email flooding, social engineering attacks, and impersonation of administrative decisions related to instructor requests. The vulnerability affects all plugin versions up to 4.3.2.8. The CVSS 3.1 base score is 4.3 (medium), reflecting the low complexity of exploitation (low attack complexity), requirement for authenticated access with low privileges, and impact limited to integrity (unauthorized email sending) without affecting confidentiality or availability. No patches are currently linked, and no known exploits have been reported in the wild. The flaw stems from a design oversight in authorization logic, where nonce verification is mistaken for an authorization check, allowing privilege escalation within the plugin's email notification system.

The primary impact of this vulnerability is on the integrity of communications within affected WordPress sites using the LearnPress plugin. Attackers with Subscriber-level access can send unauthorized emails impersonating administrators or instructors, potentially misleading users and staff. This can facilitate social engineering attacks, phishing, or manipulation of course-related decisions. Email flooding could disrupt normal communication channels, causing operational inefficiencies and user distrust. While confidentiality and availability are not directly compromised, the reputational damage and potential for further exploitation via social engineering are significant. Organizations relying on LearnPress for e-learning may face increased risk of targeted attacks against their users and staff. The vulnerability could also be leveraged as a stepping stone for broader attacks if combined with other weaknesses. Given the widespread use of WordPress and LearnPress, the scope of affected systems is considerable, especially in education and training sectors.

Immediate mitigation should focus on restricting user roles and capabilities to minimize the number of users with authenticated access, especially limiting Subscriber-level users where possible. Administrators should monitor outgoing email logs for unusual activity indicative of abuse. Since no official patch is currently linked, site owners should consider applying custom authorization checks by modifying the plugin code to include current_user_can() checks before email functions are executed. Alternatively, temporarily disabling the email notification features or the plugin itself until a patch is released can reduce risk. Employing Web Application Firewalls (WAF) with rules to detect and block suspicious AJAX requests related to SendEmailAjax functions can help mitigate exploitation attempts. Regularly updating WordPress core and plugins, and subscribing to vendor advisories for patch releases, is critical. Educating users about phishing and social engineering risks related to this vulnerability is also recommended.