CVE-2026-12732 PUBLISHED

LearnPress <= 4.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_wrapper_form' Shortcode Attribute

Assigner: Wordfence
Reserved: 19.06.2026 Published: 01.07.2026 Updated: 01.07.2026

The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_wrapper_form' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections() method at line 98, where the attacker-controlled attribute is inserted into an HTML class attribute via sprintf('<form class="%s">', $class_wrapper_form) without esc_attr() escaping. The FilterCourseShortcode::render() handler does not apply shortcode_atts() filtering, so raw user attributes flow directly through do_action('learn-press/filter-courses/layout', $data) into the template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVSS Score: 6.4

Product Status

Vendor thimpress
Product LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
Versions Default: unaffected
  • affected from 0 to 4.4.0 (incl.)

Credits

  • zaim finder
  • PRISM finder

References

Problem Types

  • CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE