CVE-2026-11988: The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure
mediumvulnerability
security
Summary
The LearnPress WordPress plugin (versions up to 4.3.9.1) has a security flaw called IDOR (insecure direct object reference, where attackers bypass checks meant to prevent accessing other users' data) in the 'userId' parameter. An authenticated user with subscriber-level access or higher can view course enrollment and completion information belonging to teacher or administrator accounts by exploiting missing validation checks.
Vulnerability Details
CVSS Score
6.5(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
network
Attack Complexity
low
Privileges Required
low
User Interaction
none
Disclosure Date
July 1, 2026
Classification
Attack SophisticationTrivial
Taxonomy References
CWE (Weakness Type)
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-11988
First tracked: July 1, 2026 at 02:07 AM
Classified by LLM (prompt v3) · confidence: 95%