← back
CVE-2026-8383

LearnPress < 4.3.7 - Unauthenticated Sensitive User Information Disclosure via REST API

CVSS 5.3 MEDIUMEPSS 0.2%CWE-862
The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
Unknown · LearnPress
public PoCs found1
cve_referencewpscan.com/vulnerability/b7cbf68b-62c5-4787-b84b-69df9e0122b2/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/b7cbf68b-62c5-4787-b84b-69df9e0122b2/