CVE-2025-14387

The LearnPress – WordPress LMS Plugin is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 4.3.1. The root cause is insufficient input sanitization and output escaping in the user profile update functionality. Specifically, the learn_press_update_user_profile_basic_information and learn_press_update_extra_user_profile_fields functions directly process user-supplied data from $_POST without proper validation, allowing malicious script injection into social profile links and extra info fields [1].

To exploit this vulnerability, an attacker must be authenticated with at least Subscriber-level access. The attacker can craft a payload containing JavaScript and submit it via the profile update form. The injected script is stored in the database and executed whenever a user (including administrators) views the affected profile page. No additional privileges or network position are required beyond standard subscriber capabilities [1].

Successful exploitation enables the attacker to execute arbitrary web scripts in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information such as cookies and authentication tokens. The impact is amplified because the XSS is stored, affecting all users who access the compromised profile [1].

The vulnerability has been addressed in the commit referenced in the advisory. The fix replaces direct $_POST access with LP_Request::get_param() and applies proper sanitization. Users are strongly advised to update LearnPress to version 4.3.2 or later, which includes the patch. No workarounds are provided, and the plugin maintainers recommend immediate updating [1].