CVE-2026-8383: CWE-862 Missing Authorization in LearnPress
The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request
AI Analysis
Technical Summary
CVE-2026-8383 is a missing authorization vulnerability (CWE-862) in the LearnPress WordPress plugin prior to version 4.3.7. The vulnerability occurs because the REST endpoint handling the 'edit' context does not enforce the required 'edit_users' capability check. As a result, unauthenticated attackers can retrieve detailed user information including roles, capabilities, locale, and registration dates via crafted requests to this endpoint. This exposure of sensitive user data could aid attackers in further attacks or reconnaissance. No CVSS score or vendor advisory is available, and no patch or official remediation has been confirmed.
Potential Impact
Unauthenticated attackers can access sensitive user information such as user roles, full capabilities, extra capabilities, locale, and registration date. This information disclosure could facilitate further targeted attacks or privilege escalation attempts. There is no evidence of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected REST endpoints if possible or implement additional access controls at the web server or application firewall level to block unauthenticated requests targeting these endpoints.
CVE-2026-8383: CWE-862 Missing Authorization in LearnPress
Description
The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-8383 is a missing authorization vulnerability (CWE-862) in the LearnPress WordPress plugin prior to version 4.3.7. The vulnerability occurs because the REST endpoint handling the 'edit' context does not enforce the required 'edit_users' capability check. As a result, unauthenticated attackers can retrieve detailed user information including roles, capabilities, locale, and registration dates via crafted requests to this endpoint. This exposure of sensitive user data could aid attackers in further attacks or reconnaissance. No CVSS score or vendor advisory is available, and no patch or official remediation has been confirmed.
Potential Impact
Unauthenticated attackers can access sensitive user information such as user roles, full capabilities, extra capabilities, locale, and registration date. This information disclosure could facilitate further targeted attacks or privilege escalation attempts. There is no evidence of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected REST endpoints if possible or implement additional access controls at the web server or application firewall level to block unauthenticated requests targeting these endpoints.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- WPScan
- Date Reserved
- 2026-05-12T09:19:47.748Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3250bf0b89be6888f7d733
Added to database: 6/17/2026, 7:46:07 AM
Last enriched: 6/17/2026, 8:01:07 AM
Last updated: 6/17/2026, 12:54:08 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.