CVE-2026-3226: CWE-862 Missing Authorization in thimpress LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized email notification triggering due to missing capability checks on all 10 functions in the SendEmailAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check before dispatching to handler functions. The wp_rest nonce is embedded in the frontend JavaScript for all authenticated users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger arbitrary email notifications to admins, instructors, and users, enabling email flooding, social engineering, and impersonation of admin decisions regarding instructor requests.
AI Analysis
Technical Summary
The LearnPress WordPress LMS Plugin contains a missing authorization vulnerability (CWE-862) in all versions up to 4.3.2.8. The SendEmailAjax class has 10 functions that can be triggered via AJAX without proper current_user_can() checks, despite verifying a wp_rest nonce. Since the nonce is available to all authenticated users, attackers with Subscriber-level privileges can abuse this to send arbitrary email notifications to admins, instructors, and users. This flaw enables email flooding and social engineering attacks by impersonating administrative decisions related to instructor requests.
Potential Impact
The vulnerability allows authenticated users with low privileges (Subscriber or higher) to send arbitrary email notifications within the LMS environment. This can result in disruptive email flooding, potential social engineering attacks, and impersonation of administrative actions, potentially undermining trust and operational integrity of the affected WordPress LMS sites. There is no indication of direct data compromise or system takeover from the available information.
Mitigation Recommendations
Patch status is not yet confirmed — no official patch or remediation guidance is currently available from the vendor. Until a fix is released, administrators should consider restricting user roles that have access to authenticated sessions or implement custom capability checks on the affected AJAX handlers if feasible. Monitor vendor advisories for updates on official fixes.
CVE-2026-3226: CWE-862 Missing Authorization in thimpress LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
Description
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized email notification triggering due to missing capability checks on all 10 functions in the SendEmailAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check before dispatching to handler functions. The wp_rest nonce is embedded in the frontend JavaScript for all authenticated users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger arbitrary email notifications to admins, instructors, and users, enabling email flooding, social engineering, and impersonation of admin decisions regarding instructor requests.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The LearnPress WordPress LMS Plugin contains a missing authorization vulnerability (CWE-862) in all versions up to 4.3.2.8. The SendEmailAjax class has 10 functions that can be triggered via AJAX without proper current_user_can() checks, despite verifying a wp_rest nonce. Since the nonce is available to all authenticated users, attackers with Subscriber-level privileges can abuse this to send arbitrary email notifications to admins, instructors, and users. This flaw enables email flooding and social engineering attacks by impersonating administrative decisions related to instructor requests.
Potential Impact
The vulnerability allows authenticated users with low privileges (Subscriber or higher) to send arbitrary email notifications within the LMS environment. This can result in disruptive email flooding, potential social engineering attacks, and impersonation of administrative actions, potentially undermining trust and operational integrity of the affected WordPress LMS sites. There is no indication of direct data compromise or system takeover from the available information.
Mitigation Recommendations
Patch status is not yet confirmed — no official patch or remediation guidance is currently available from the vendor. Until a fix is released, administrators should consider restricting user roles that have access to authenticated sessions or implement custom capability checks on the affected AJAX handlers if feasible. Monitor vendor advisories for updates on official fixes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-25T20:01:19.815Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69b22c262f860ef943edb6e1
Added to database: 3/12/2026, 2:59:50 AM
Last enriched: 4/9/2026, 6:46:40 PM
Last updated: 4/28/2026, 7:22:24 AM
Views: 106
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.