CVE-2026-8502 Overview
CVE-2026-8502 is a sensitive information exposure vulnerability in the LearnPress – WordPress LMS Plugin for Create and Sell Online Courses. All versions up to and including 4.3.6 are affected. The flaw resides in the /wp-json/lp/v1/courses/archive-course REST endpoint, where the return_type parameter combined with c_status=all triggers an unrestricted SELECT * fallback query. Unauthenticated attackers can extract the plaintext post_password of password-protected courses along with post_content, post_author, and post_name of unpublished draft, private, and pending courses. The weakness is classified under CWE-862: Missing Authorization.
Critical Impact
Unauthenticated remote attackers can retrieve plaintext course passwords and read draft, private, and pending course content through a single crafted REST API request.
Affected Products
- LearnPress – WordPress LMS Plugin for Create and Sell Online Courses (all versions through 4.3.6)
- WordPress sites exposing the LearnPress REST API endpoint /wp-json/lp/v1/courses/archive-course
- Online course platforms relying on LearnPress for password-protected or unpublished course content
Discovery Timeline
- 2026-06-06 - CVE-2026-8502 published to the National Vulnerability Database
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-8502
Vulnerability Analysis
The vulnerability stems from missing authorization checks within the LearnPress REST API controller responsible for course archival listings. The endpoint constructs database queries based on user-supplied parameters without enforcing access controls on sensitive wp_posts columns. When attackers supply both c_status=all and return_type=json, the controller bypasses safe query construction and falls through to an unrestricted SELECT * query path. This exposes columns that should never be reachable by unauthenticated callers, including post_password, post_content, post_author, and post_name for non-published courses.
Root Cause
The defect originates from two interacting issues in the courses controller and database layer. First, the c_status=all parameter removes the post_status = 'publish' WHERE clause that normally restricts results to published content. Second, the return_type=json parameter prevents the safe DISTINCT(ID) AS ID field override that would otherwise limit returned columns to identifiers only. The combination causes the query to return every column from matching rows. Relevant code paths are documented in the LearnPress REST Courses Controller and the LearnPress Courses Model.
Attack Vector
An unauthenticated attacker sends a single HTTP GET or POST request to /wp-json/lp/v1/courses/archive-course with c_status=all and return_type=json in the query string or body. The server responds with a JSON payload containing the full row data of all courses, including unpublished entries and plaintext passwords. No authentication, user interaction, or special privileges are required. See the Wordfence Vulnerability Analysis for additional technical context.
Detection Methods for CVE-2026-8502
Indicators of Compromise
- Web server access logs containing requests to /wp-json/lp/v1/courses/archive-course with both c_status=all and return_type=json parameters
- Unusual volume of unauthenticated requests to the LearnPress REST namespace /wp-json/lp/v1/
- Outbound JSON responses from the archive-course endpoint exceeding typical baseline sizes, indicating bulk row exfiltration
Detection Strategies
- Inspect HTTP request logs for the parameter combination c_status=all&return_type=json targeting the LearnPress REST API
- Deploy WAF rules to flag or block REST requests to LearnPress endpoints originating from unauthenticated sessions with these parameters
- Correlate REST API access patterns with absence of authentication cookies or Authorization headers
Monitoring Recommendations
- Enable verbose access logging on the WordPress REST API and forward logs to a centralized SIEM for retrospective analysis
- Alert on response sizes from /wp-json/lp/v1/courses/archive-course that deviate from established baselines
- Track repeated requests from a single IP enumerating the archive-course endpoint over short time windows
How to Mitigate CVE-2026-8502
Immediate Actions Required
- Update the LearnPress plugin to a version higher than 4.3.6 containing the fix referenced in the LearnPress Changeset 3545523
- Audit wp_posts entries for any LearnPress course type with non-empty post_password and rotate those passwords after patching
- Review draft, private, and pending courses for unintended exposure and treat their contents as potentially disclosed
Patch Information
The LearnPress maintainers addressed the issue in a release following version 4.3.6. Refer to the LearnPress Changeset for the code fix and the Wordfence Vulnerability Analysis for confirmation of the fixed version. Apply the update through the WordPress plugin manager or WP-CLI.
Workarounds
- Block external access to /wp-json/lp/v1/courses/archive-course at the web server or WAF until the patch is applied
- Deny requests containing the parameter combination c_status=all and return_type=json via WAF rules
- Restrict the WordPress REST API to authenticated users where business logic permits
# Example nginx rule to block the vulnerable parameter combination
location ~* /wp-json/lp/v1/courses/archive-course {
if ($args ~* "c_status=all") {
if ($args ~* "return_type=json") {
return 403;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
