CVE-2026-8383 PUBLISHED

LearnPress < 4.3.7 - Unauthenticated Sensitive User Information Disclosure via REST API

Assigner: WPScan
Reserved: 12.05.2026 Published: 17.06.2026 Updated: 17.06.2026

The LearnPress WordPress plugin before 4.3.7 does not gate the edit context on one of its REST endpoint behind the edit_users capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request

Product Status

Vendor Unknown
Product LearnPress
Versions Default: unaffected
  • affected from 0 to 4.3.7 (excl.)

Credits

  • dyingman1 finder
  • WPScan coordinator

References

Problem Types

  • CWE-862 Missing Authorization CWE