CVE-2026-48865

Vulnerability

The LearnPress plugin for WordPress suffers from a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This issue affects all versions from n/a through 4.3.6. The vulnerability is present in the plugin's handling of certain parameters, allowing injection of arbitrary HTML and JavaScript.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing the XSS payload and tricking a privileged user (such as an administrator) into clicking it [1]. User interaction is required; the victim must perform an action like clicking a link or visiting a crafted page. No authentication is needed for the attacker to deliver the payload, but the target user must be logged in to the WordPress admin area for the script to execute in that context.

Impact

Successful exploitation allows the attacker to inject malicious scripts, such as redirects, advertisements, and other HTML payloads, which will be executed when other users visit the affected site [1]. This can lead to defacement, phishing, or theft of sensitive information like session cookies.

Mitigation

The vulnerability is fixed in version 4.3.7 of the LearnPress plugin [1]. Users are advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks until the update is applied [1]. No other workarounds are documented.