CVE-2026-8383
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
The LearnPress WordPress plugin before version 4.3.7 does not gate the `edit` context on one of its REST endpoints, allowing unauthenticated users to retrieve user roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request.
Risk Assessment
Unauthenticated users can access sensitive information about users, potentially leading to further attacks or privacy breaches.
Recommendation
It is recommended to update the LearnPress plugin to version 4.3.7 or later to block access to sensitive data by unauthenticated users.
Original NVD description (English source)
The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request

