CVE-2026-4365 Overview
The LearnPress plugin for WordPress contains a critical authorization bypass vulnerability that enables unauthenticated attackers to delete quiz answer options without any capability or ownership checks. The vulnerability exists in the delete_question_answer() function across all versions up to and including 4.3.2.8.
The core issue stems from an architectural security flaw where the plugin exposes a wp_rest nonce publicly in frontend HTML through the lpData JavaScript object, accessible to unauthenticated visitors. This nonce serves as the sole security gate for the lp-load-ajax AJAX dispatcher, and the delete_question_answer action performs no additional capability or ownership verification.
Critical Impact
Unauthenticated attackers can delete any quiz answer option across the WordPress site by sending a crafted POST request with a publicly available nonce, leading to complete destruction of educational content and assessment data.
Affected Products
- LearnPress WordPress Plugin versions up to and including 4.3.2.8
- WordPress installations using vulnerable LearnPress versions
- Learning Management System (LMS) sites built with LearnPress
Discovery Timeline
- 2026-04-14 - CVE CVE-2026-4365 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-4365
Vulnerability Analysis
This vulnerability represents a classic Missing Authorization (CWE-862) flaw with severe consequences for WordPress-based learning management systems. The vulnerability enables complete bypass of WordPress's standard capability system, allowing any unauthenticated user to perform privileged administrative actions.
The attack is particularly dangerous because it requires no authentication and can be executed remotely over the network. The publicly exposed nonce in the lpData JavaScript object—intended for legitimate AJAX functionality—becomes the single point of failure in the authorization chain. When combined with the absence of capability checks in the delete_question_answer action handler, attackers gain unrestricted ability to delete quiz content.
The integrity and availability impact is significant: attackers can systematically destroy quiz data, rendering courses unusable and potentially corrupting the entire educational content database. While confidentiality is not directly impacted, the data destruction capabilities make this a critical concern for any organization using LearnPress.
Root Cause
The root cause is twofold: first, the exposure of security nonces in publicly accessible JavaScript objects (lpData) in the frontend HTML, and second, the complete absence of WordPress capability checks or ownership verification in the delete_question_answer() function. The AJAX dispatcher at lp-load-ajax relies solely on nonce verification, which becomes meaningless when the nonce is publicly available to all site visitors.
Attack Vector
An attacker can exploit this vulnerability by:
- Visiting any page on a WordPress site running the vulnerable LearnPress plugin
- Extracting the wp_rest nonce from the publicly accessible lpData JavaScript object in the page source
- Crafting a malicious POST request to the lp-load-ajax endpoint with the delete_question_answer action
- Including the extracted nonce and target answer option ID in the request payload
The attack can be automated to enumerate and delete all quiz answer options across the site, effectively destroying course assessment functionality.
For technical implementation details, refer to the WordPress LearnPress Ajax Code which shows the AJAX dispatcher implementation, and the WordPress LearnPress Edit Question Code which contains the vulnerable function. The nonce exposure can be examined in the WordPress LearnPress Asset Class Code.
Detection Methods for CVE-2026-4365
Indicators of Compromise
- Unexpected POST requests to /wp-admin/admin-ajax.php with action parameter lp-load-ajax and sub-action delete_question_answer from unauthenticated sessions
- Unusual volume of quiz answer deletions without corresponding administrative user activity
- Web server logs showing repeated AJAX calls to LearnPress endpoints from external IP addresses
- Missing or corrupted quiz data in the WordPress database without legitimate administrative changes
Detection Strategies
- Monitor web application firewall (WAF) logs for POST requests targeting LearnPress AJAX endpoints without valid session cookies
- Implement database activity monitoring to detect unauthorized DELETE operations on LearnPress quiz-related tables
- Configure intrusion detection systems to alert on patterns of unauthenticated AJAX requests to lp-load-ajax
- Review WordPress admin activity logs for quiz content modifications that don't correlate with logged-in user actions
Monitoring Recommendations
- Enable detailed logging for all LearnPress plugin AJAX operations
- Set up alerts for quiz answer deletion events that occur outside of normal administrative sessions
- Monitor for anomalous traffic patterns to WordPress AJAX endpoints from unauthenticated sources
- Implement rate limiting on AJAX endpoints to slow potential automated exploitation attempts
How to Mitigate CVE-2026-4365
Immediate Actions Required
- Update LearnPress plugin to the latest patched version immediately if available
- Implement Web Application Firewall (WAF) rules to block unauthenticated requests to the delete_question_answer AJAX action
- Backup all quiz and course data before applying mitigations to ensure recovery capability
- Temporarily disable the LearnPress plugin if no patch is available and the site is critical
Patch Information
Review the Wordfence Vulnerability Report for the latest patch status and remediation guidance. Update to a version higher than 4.3.2.8 when the vendor releases a security patch that implements proper capability checks on the delete_question_answer() function.
Workarounds
- Implement server-level access controls to restrict access to LearnPress AJAX endpoints for unauthenticated users
- Deploy a WAF rule to validate that requests to sensitive LearnPress actions originate from authenticated administrative sessions
- Consider temporarily disabling quiz functionality if the plugin cannot be immediately updated
- Use WordPress security plugins to add additional authorization layers on AJAX handlers
# Example .htaccess rule to restrict LearnPress AJAX access
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php
RewriteCond %{QUERY_STRING} action=lp-load-ajax [NC,OR]
RewriteCond %{HTTP:X-Requested-With} !XMLHttpRequest
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
