Critical WordPress LearnPress Flaw Allows Unauth Data Deletion

A critical vulnerability, tracked as CVE-2026-4365, has been identified in the LearnPress plugin for WordPress. According to the National Vulnerability Database, this flaw allows for unauthorized data deletion due to a glaring lack of capability checks within the delete_question_answer() function. This affects all LearnPress versions up to and including 4.3.2.8.

The real kicker here is the plugin’s exposure of a wp_rest nonce in public frontend HTML (lpData), even to unauthenticated visitors. This nonce, which should ideally be a unique, single-use token for authenticated actions, is then used as the sole security gate for the lp-load-ajax AJAX dispatcher. With no additional capability or ownership checks on the delete_question_answer action, unauthenticated attackers can simply craft a POST request using this publicly available nonce to delete any quiz answer option. It’s a classic case of broken access control, leading to a critical severity rating.

This isn’t just a minor bug; it’s a gaping hole that could allow bad actors to tamper with educational content, disrupt online courses, or even potentially deface parts of a site that rely on LearnPress. The CVSS score of 9.1 (CRITICAL) underscores the severity, with an attack vector requiring no authentication or user interaction, leading to high impact on integrity and availability.