CVE-2026-4365 - LearnPress WordPress Plugin - Broken Access Control

Overview

LearnPress WordPress plugin <= 4.3.2.8 contains an authorization bypass caused by missing capability check in delete_question_answer() function, letting unauthenticated attackers delete quiz answers using a public wp_rest nonce.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can delete quiz answer options, leading to data loss and integrity issues.

Mitigation

Update to a version later than 4.3.2.8 or the latest available version.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Apr 14, 2026

🔴 CVE-2026-4365 - Critical (9.1) The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function in all versions up to, and including, 4.3.2.8. The plugin exposes a `wp_rest` nonce in pub... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-4365/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Apr 14, 2026

🔴 CVE-2026-4365 - Critical (9.1) The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function in all versions up to, and including, 4.3.2.8. The plugin exposes a `wp_rest` nonce in pub... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-4365/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

CVE-2026-4365 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(2 posts)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score