CVE-2026-4333: LearnPress WordPress LMS XSS Vulnerability

CVE-2026-4333 Overview

The LearnPress – WordPress LMS Plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the skin attribute of the learn_press_courses shortcode. This security flaw affects all versions up to and including 4.3.3 and stems from insufficient input sanitization and output escaping. The vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious web scripts into pages that execute whenever users access the compromised content.

Critical Impact

Authenticated attackers can inject persistent malicious JavaScript that executes in the browsers of all users who view the affected pages, potentially leading to session hijacking, credential theft, or further attacks against site visitors.

Affected Products

• LearnPress – WordPress LMS Plugin versions up to and including 4.3.3
• WordPress installations using vulnerable LearnPress versions
• All WordPress sites with Contributor-level or higher user accounts using affected plugin

Discovery Timeline

• April 8, 2026 - CVE-2026-4333 published to NVD
• April 8, 2026 - Last updated in NVD database

Technical Details for CVE-2026-4333

Vulnerability Analysis

This Stored Cross-Site Scripting vulnerability exists in the ListCoursesShortcode.php file within the LearnPress plugin. The flaw occurs because the skin attribute value from the learn_press_courses shortcode is used directly in an sprintf() call that generates HTML output, specifically within class attributes and data-layout attributes. The absence of proper esc_attr() escaping allows attackers to break out of the attribute context and inject arbitrary JavaScript code.

When a user with at least Contributor-level permissions creates or edits a post containing the malicious shortcode, the injected script becomes stored in the WordPress database. Subsequently, every visitor who views the page will have the malicious script executed in their browser context, making this a persistent XSS attack vector.

Root Cause

The root cause is improper output encoding in the shortcode rendering logic. The skin shortcode attribute is passed directly to sprintf() for HTML generation without sanitization through WordPress's built-in escaping functions like esc_attr(). This violates secure coding practices for WordPress plugin development, where all user-controllable data must be escaped before being rendered in HTML output contexts.

Attack Vector

The attack requires network access and low-privilege authentication (Contributor-level). An attacker crafts a malicious learn_press_courses shortcode with a specially crafted skin attribute value designed to escape the HTML attribute context and inject JavaScript. Once published or saved as a draft (depending on WordPress permissions), the payload persists in the database and executes for all users viewing the affected page.

The malicious shortcode would be embedded in a post or page using the WordPress editor. When the page renders, the unsanitized skin value breaks out of the intended HTML attribute and injects script tags or event handlers that execute arbitrary JavaScript in the victim's browser.

Detection Methods for CVE-2026-4333

Indicators of Compromise

• Unusual or obfuscated content in the skin attribute of learn_press_courses shortcodes within posts or pages
• JavaScript event handlers or script tags appearing in shortcode attributes in the database
• Reports of unexpected browser behavior or redirects when viewing pages containing LearnPress course listings
• Web application firewall (WAF) logs showing XSS patterns in POST requests to WordPress admin

Detection Strategies

• Implement Content Security Policy (CSP) headers and monitor for CSP violation reports indicating inline script execution attempts
• Deploy web application firewall rules to detect XSS patterns in shortcode attribute values
• Audit WordPress database wp_posts table for suspicious patterns in shortcode attributes containing script tags or event handlers
• Enable WordPress security plugins with real-time malware scanning capabilities

Monitoring Recommendations

• Monitor authentication logs for unusual activity from Contributor-level accounts
• Implement file integrity monitoring on LearnPress plugin files to detect unauthorized modifications
• Review page content changes through WordPress revision history for suspicious shortcode modifications
• Configure alerts for new or modified posts containing learn_press_courses shortcodes

How to Mitigate CVE-2026-4333

Immediate Actions Required

• Update LearnPress plugin to the latest patched version immediately
• Audit all existing posts and pages containing learn_press_courses shortcodes for malicious content
• Review and restrict Contributor-level user accounts to trusted individuals only
• Consider temporarily disabling the LearnPress plugin until patches can be applied

Patch Information

A security patch addressing this vulnerability is available. Site administrators should update the LearnPress plugin through the WordPress admin dashboard or via WP-CLI. The patch implements proper esc_attr() escaping for the skin attribute before HTML output generation. For technical details on the fix, refer to the WordPress LearnPress Changeset History and the Wordfence Vulnerability Report.

Workarounds

• Restrict user registration and limit Contributor-level access to trusted users only until the plugin is updated
• Implement a Web Application Firewall (WAF) with XSS protection rules to filter malicious shortcode attribute values
• Use WordPress security plugins to scan for and block XSS payloads in post content
• Temporarily disable the learn_press_courses shortcode functionality if course listings are not critical

# WordPress CLI command to update LearnPress plugin
wp plugin update learnpress

# Verify current plugin version after update
wp plugin get learnpress --field=version

# Search for potentially malicious shortcode content in database
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%learn_press_courses%' AND (post_content LIKE '%<script%' OR post_content LIKE '%onerror%' OR post_content LIKE '%onclick%')"