CVE Catalog

CVE-2026-8383

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile — higher than 6% of all known CVEs

Summary

The LearnPress WordPress plugin before version 4.3.7 does not gate the `edit` context on one of its REST endpoints, allowing unauthenticated users to retrieve user roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request.

Risk Assessment

Unauthenticated users can access sensitive information about users, potentially leading to further attacks or privacy breaches.

Recommendation

It is recommended to update the LearnPress plugin to version 4.3.7 or later to block access to sensitive data by unauthenticated users.

Original NVD description (English source)

The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request

Vulnerability data from NVD (NIST) · CISA KEV · EPSS