LearnPress WordPress Plugin Allows Malicious Scripts in Course Pages

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.4

LearnPress WordPress Plugin Allows Malicious Scripts in Course Pages

CVE-2026-4333

Summary

The LearnPress WordPress plugin has a security flaw that lets attackers inject malicious code into course pages, potentially harming users who visit those pages. This vulnerability affects all versions of the plugin up to 4.3.3, so update to a newer version to fix it. If you're using an affected version, consider limiting access to your WordPress dashboard to prevent unauthorized users from exploiting the flaw.

Original title

Original description

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skin' attribute of the learn_press_courses shortcode in all versions up to and including 4.3.3. This is due to insufficient input sanitization and output escaping on the 'skin' shortcode attribute. The attribute value is used directly in an sprintf() call that generates HTML (class attribute and data-layout attribute) without any esc_attr() escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

nvd CVSS3.1 6.4

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026