CVE-2026-8383: LearnPress Auth Bypass Vulnerability

CVE-2026-8383 Overview

CVE-2026-8383 affects the LearnPress WordPress plugin in versions prior to 4.3.7. The plugin fails to gate the edit context on one of its REST API endpoints behind the edit_users capability check. Unauthenticated visitors can craft requests that return each user's roles, full capabilities map, extra capabilities, locale, and registration date. The flaw maps to CWE-862: Missing Authorization and exposes information typically reserved for administrators.

Critical Impact
Unauthenticated attackers can enumerate WordPress user accounts, roles, and capabilities, providing reconnaissance for targeted credential attacks and privilege-focused exploitation.

Affected Products

LearnPress WordPress plugin versions before 4.3.7
WordPress sites running LearnPress with public REST API access
Learning Management System (LMS) deployments exposing the affected endpoint

Discovery Timeline

2026-06-17 - CVE-2026-8383 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-8383

Vulnerability Analysis

The vulnerability resides in a LearnPress REST API endpoint that accepts a context parameter. WordPress conventionally restricts the edit context to users holding the edit_users capability. LearnPress does not enforce this capability check on the affected endpoint. As a result, unauthenticated clients can request the edit context and receive privileged user fields in the response.

The data exposed includes user roles, the complete capabilities map, extra capabilities assigned outside roles, user locale, and account registration date. This information enables attackers to identify administrators, target accounts with elevated privileges, and craft socially engineered or credential-stuffing campaigns against high-value users.

Root Cause

The root cause is missing authorization logic [CWE-862] on the REST endpoint's permission callback. The handler returns the verbose user object whenever context=edit is supplied, without verifying the caller's WordPress capabilities. Correct behavior requires checking current_user_can('edit_users') or falling back to the view context for unprivileged requests.

Attack Vector

The attack is remote and network-based, requiring no authentication or user interaction. An attacker issues a crafted HTTP GET request to the vulnerable LearnPress REST route with the context query parameter set to edit. The server returns expanded user metadata for every enumerable account. Attackers can iterate over user IDs or paginate listings to harvest the entire user directory.

No verified exploit code is published. Refer to the WPScan Vulnerability Report for technical details on the affected endpoint and parameters.

Detection Methods for CVE-2026-8383

Indicators of Compromise

Unauthenticated HTTP requests to LearnPress REST routes containing context=edit in the query string
Repeated REST API requests enumerating sequential user IDs from a single source IP
Responses returning user capabilities, extra_capabilities, roles, or registered_date fields to anonymous callers
User-Agent strings associated with automated scanners or scripted HTTP clients hitting /wp-json/ endpoints

Detection Strategies

Inspect web server access logs for requests to LearnPress REST namespaces containing the context=edit parameter without an authenticated session cookie or nonce
Deploy WAF rules that block or alert on unauthenticated REST API requests using the edit context
Correlate high-volume REST API enumeration patterns against single client IPs and flag anomalous user listing activity

Monitoring Recommendations

Enable verbose logging on /wp-json/learnpress/ endpoints and forward to centralized log analytics
Alert on response payloads containing capabilities or extra_capabilities keys served with HTTP 200 to unauthenticated clients
Track outbound user enumeration patterns and unusual access to administrator account metadata

How to Mitigate CVE-2026-8383

Immediate Actions Required

Upgrade LearnPress to version 4.3.7 or later on all WordPress sites
Audit recent web server logs for unauthenticated requests using context=edit against LearnPress REST routes
Rotate credentials for administrator accounts whose metadata may have been exposed
Restrict public access to the WordPress REST API where business requirements allow

Patch Information

The LearnPress maintainers addressed the missing authorization issue in version 4.3.7 by enforcing the edit_users capability check on the affected REST endpoint. Site operators should apply the update through the WordPress plugin dashboard or via WP-CLI. See the WPScan Vulnerability Report for vendor remediation details.

Workarounds

Deploy a WAF rule blocking unauthenticated REST requests containing context=edit against LearnPress namespaces until patching is complete
Use a WordPress hardening plugin or custom rest_authentication_errors filter to require authentication for all REST API access
Temporarily disable the LearnPress plugin on production sites that cannot be patched immediately

bash

# Update LearnPress via WP-CLI
wp plugin update learnpress --version=4.3.7

# Verify installed version
wp plugin get learnpress --field=version

# Optional: require authentication on REST API (add to a mu-plugin)
# add_filter('rest_authentication_errors', function ($result) {
#     if (!is_user_logged_in()) {
#         return new WP_Error('rest_forbidden', 'Authentication required.', ['status' => 401]);
#     }
#     return $result;
# });