PatchSiren cyber security CVE debrief
CVE-2026-13765 thimpress CVE debrief
The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.1 via the check_answer. This makes it possible for unauthenticated attackers to extract the correct-answer markers, full option lists, explanations, and question content for any quiz question on the site — including questions belonging to paid courses the attacker is not enrolled in. Users of the LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress should be aware of this vulnerability and take immediate action to protect their sites. The vulnerability allows unauthenticated attackers to extract sensitive information.
- Vendor
- thimpress
- Product
- LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of the LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress should be aware of this vulnerability and take immediate action to protect their sites. Affected operators, platforms, and security teams need to review the vulnerability and implement necessary mitigations. Vulnerability management and security teams should prioritize patching or mitigating this vulnerability to prevent potential data breaches.
Technical summary
The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure. This vulnerability allows unauthenticated attackers to extract sensitive information, including correct-answer markers, full option lists, explanations, and question content for any quiz question on the site. The vulnerability exists in all versions up to, and including, 4.4.1 via the check_answer. Affected product deployments should be confirmed in managed environments and assigned an owner for follow-up.
Defensive priority
High
Recommended defensive actions
- Update the LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin to the latest version.
- Restrict access to sensitive information.
- Monitor for suspicious activity.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-17T05:16:37.837Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence suggests that the LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure. Further verification is needed to confirm the affected scope and severity.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T05:16:37.837Z and has not been modified since then.