WP-Safety

WP Learn Manager Security & Risk Analysis

wordpress.org/plugins/learn-manager

WP Learn Manager is the most comprehensive, extensive, and feature-rich WordPress LMS plugin.

10 active installs v1.1.8 PHP + WP 4.5+ Updated Nov 22, 2021
e-learningelearninglearning-management-systemlmswordpress-lms
84
B · Generally Safe
CVEs total2
Unpatched0
Last CVEAug 2, 2021
Plugin page Download
Safety Verdict

Is WP Learn Manager Safe to Use in 2026?

Mostly Safe

Score 84/100

WP Learn Manager is generally safe to use though it hasn't been updated recently. 2 past CVEs were resolved. Keep it updated.

2 known CVEsLast CVE: Aug 2, 2021Updated 4yr ago
Risk Assessment

The Learn Manager plugin, version 1.1.8, presents a mixed security posture. While it demonstrates good practices in areas like the high percentage of SQL queries using prepared statements and a substantial amount of output escaping, several significant concerns remain. The presence of unprotected AJAX handlers is a primary weakness, creating direct entry points for unauthenticated attackers. The taint analysis reveals a concerning number of flows with unsanitized paths, with 8 identified as high severity, indicating potential for command injection or other serious vulnerabilities if these flows are triggered by user input.

The plugin's vulnerability history, with two known CVEs including a past high-severity issue and a medium-severity one, suggests a pattern of exploitable weaknesses. While there are currently no unpatched vulnerabilities, the types of past issues (CSRF and XSS) align with the potential risks identified in the static analysis, particularly regarding unsanitized input and the lack of robust authorization checks on entry points. The use of dangerous functions like `exec` and `unserialize` further amplifies these risks.

In conclusion, while Learn Manager has some strengths in secure coding practices, the significant number of unprotected entry points and the high-severity taint flows indicate a substantial risk. Attackers could potentially leverage these weaknesses to execute arbitrary code or manipulate data. The plugin's past vulnerability history reinforces the need for caution and thorough security auditing.

Key Concerns

  • 4 unprotected AJAX handlers identified
  • 8 high severity taint flows with unsanitized paths
  • Dangerous functions (exec, unserialize) present
  • 1 known high severity CVE historically
  • 1 known medium severity CVE historically
  • 14 flows with unsanitized paths
  • File operations are numerous (92)
  • Limited capability checks (4)
Vulnerabilities
2

WP Learn Manager Security Vulnerabilities

CVEs by Year

2 CVEs in 2021
2021
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

WF-e2defe79-137f-45a0-85a1-f61dce9afd28-learn-managerhigh · 8.8Cross-Site Request Forgery (CSRF)

WP LMS – Best WordPress LMS Plugin <= 1.1.4 - Cross-Site Request Forgery

Aug 2, 2021 Patched in 1.1.5 (904d)
CVE-2021-24504medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP LMS – Best WordPress LMS Plugin <= 1.1.5 - Cross-Site Scripting

May 24, 2021 Patched in 1.1.6 (974d)
Code Analysis
Analyzed Mar 17, 2026

WP Learn Manager Code Analysis

Dangerous Functions
8
Raw SQL Queries
14
253 prepared
Unescaped Output
2029
4697 escaped
Nonce Checks
29
Capability Checks
4
File Operations
92
External Requests
15
Bundled Libraries
1

Dangerous Functions Found

execif (strlen($mime = @exec("file -bi ".escapeshellarg($this->file_src_pathname))) != 0) {includes\classes\class.upload.php:2422
unserialize$array = @unserialize($value);modules\course\model.php:2466
unserialize$data = @unserialize($value);modules\course\model.php:2487
unserialize$value = unserialize($value);modules\course\model.php:2489
unserialize$value = unserialize($cookie);modules\course\model.php:2566
unserialize$array = @unserialize($value);modules\course\model.php:2750
unserialize$data = @unserialize($value);modules\course\model.php:2878
unserialize$value = unserialize($value);modules\course\model.php:2880

Bundled Libraries

jQuery

SQL Query Safety

95% prepared267 total queries

Output Escaping

70% escaped6726 total outputs
Data Flows
14 unsanitized

Data Flow Analysis

15 flows14 with unsanitized paths
upload (includes\classes\class.upload.php:2041)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

WP Learn Manager Attack Surface

Entry Points7
Unprotected4

AJAX Handlers 4

authwp_ajax_jslearnmanager_ajaxincludes\ajax.php:9
noprivwp_ajax_jslearnmanager_ajaxincludes\ajax.php:10
authwp_ajax_jslearnmanager_loginwith_ajaxincludes\ajax.php:11
noprivwp_ajax_jslearnmanager_loginwith_ajaxincludes\ajax.php:12

Shortcodes 3

[jslearnmanager] includes\shortcodes.php:6
[jslearnmanager] includes\shortcodes.php:7
[jslearnmanager_course_search] includes\shortcodes.php:8
WordPress Hooks 53
actionadmin_initincludes\addon-updater\jslmupdater.php:31
filtersite_transient_update_pluginsincludes\addon-updater\jslmupdater.php:38
filterplugins_apiincludes\addon-updater\jslmupdater.php:40
actionadmin_noticesincludes\addon-updater\jslmupdater.php:44
actionafter_plugin_rowincludes\addon-updater\jslmupdater.php:45
filterupload_dirincludes\classes\uploads.php:109
filterupload_dirincludes\classes\uploads.php:205
actionwp_dashboard_setupincludes\dashboardapi.php:15
actionwp_dashboard_setupincludes\dashboardapi.php:32
actionwp_dashboard_setupincludes\dashboardapi.php:49
actionwp_dashboard_setupincludes\dashboardapi.php:66
actionwp_dashboard_setupincludes\dashboardapi.php:83
actionwp_dashboard_setupincludes\dashboardapi.php:100
actionwp_dashboard_setupincludes\dashboardapi.php:117
actionwp_dashboard_setupincludes\dashboardapi.php:134
actioninitincludes\formhandler.php:9
actioninitincludes\formhandler.php:10
actionwp_login_failedincludes\jslearnmanager-hooks.php:7
filterauthenticateincludes\jslearnmanager-hooks.php:9
actionadmin_enqueue_scriptsincludes\jslearnmanager-hooks.php:37
actionregister_formincludes\jslearnmanager-hooks.php:71
filterregistration_errorsincludes\jslearnmanager-hooks.php:78
actionuser_registerincludes\jslearnmanager-hooks.php:91
actioninitincludes\jslearnmanager-hooks.php:268
actiondelete_userincludes\jslearnmanager-hooks.php:304
actionadmin_menuincludes\jslearnmanageradmin.php:9
filterpost_rewrite_rulesincludes\paramregister.php:49
filterpage_rewrite_rulesincludes\paramregister.php:57
filterroot_rewrite_rulesincludes\paramregister.php:82
filterquery_varsincludes\paramregister.php:91
actionparse_requestincludes\paramregister.php:292
filterredirect_canonicalincludes\paramregister.php:311
actionwidgets_initincludes\widgets\widgets.php:11
actionwp_insert_sitelearn-manager.php:78
actionwpmu_new_bloglearn-manager.php:80
filterwpmu_drop_tableslearn-manager.php:82
actionplugins_loadedlearn-manager.php:83
actionadmin_initlearn-manager.php:84
actionreset_jslmaddon_querylearn-manager.php:85
actionadmin_initlearn-manager.php:86
actionadmin_initlearn-manager.php:87
actioninitlearn-manager.php:88
actionjslearnmanager_cronjobs_actionlearn-manager.php:89
actionjslm_delete_expire_session_datalearn-manager.php:90
actionjslm_load_file_pathlearn-manager.php:91
actionwp_enqueue_scriptslearn-manager.php:978
actionadmin_enqueue_scriptslearn-manager.php:990
filterstyle_loader_taglearn-manager.php:991
filterscript_loader_taglearn-manager.php:992
actionjslm_addon_update_date_failedlearn-manager.php:997
actionupgrader_process_completelearn-manager.php:1048
filterwp_mail_content_typemodules\common\model.php:356
filterwp_mail_content_typemodules\emailtemplate\model.php:536

Scheduled Events 2

jslm_delete_expire_session_data
jslearnmanager_cronjobs_action
Maintenance & Trust

WP Learn Manager Maintenance & Trust

Maintenance Signals

WordPress version tested5.8.13
Last updatedNov 22, 2021
PHP min version
Downloads7K

Community Trust

Rating80/100
Number of ratings4
Active installs10
Alternatives

WP Learn Manager Alternatives

MemberWunder LMS – Learning Management System – Ein WordPress e-Learning Plugin

MemberWunder LMS – Learning Management System – Ein WordPress e-Learning Plugin

memberwunder

A
85

Ein WordPress e-Learning (LMS) Plugin, um sogenannte WordPress Learning Management Systeme zu erstellen mit anpassbaren Designs und sofort einsetzbare &hellip;

10 No CVEs
LearnPress – Course Wishlist

LearnPress – Course Wishlist

learnpress-wishlist

A
100

LearnPress Wishlist add wishlist feature to your LearnPress course in your site.

20K No CVEs
LearnPress – Prerequisites Courses

LearnPress – Prerequisites Courses

learnpress-prerequisites-courses

A
92

LearnPress Prerequisites is an add-on for LearnPress allow you to set prerequisite courses for a certain course in a LearnPress site.

6K No CVEs
LearnPress – bbPress Integration

LearnPress – bbPress Integration

learnpress-bbpress

A
100

bbPress addon for LearnPress is a plugin which bring bbPress features to LearnPress - WordPress LMS Plugin.

2K No CVEs
LearnPress – BuddyPress Integration

LearnPress – BuddyPress Integration

learnpress-buddypress

A
100

LearnPress buddyPress bring wonderful profile page for LearnPress.

2K No CVEs
Developer Profile

WP Learn Manager Developer Profile

JoomSky

3 plugins · 6K total installs

50
trust score
Avg Security Score
59/100
Avg Patch Time
323 days
View full developer profile
Detection Fingerprints

How We Detect WP Learn Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/learn-manager/includes/css/style.css/wp-content/plugins/learn-manager/includes/css/custom.css/wp-content/plugins/learn-manager/assets/css/bootstrap.min.css/wp-content/plugins/learn-manager/assets/css/jquery-ui.css/wp-content/plugins/learn-manager/assets/css/font-awesome.min.css/wp-content/plugins/learn-manager/assets/css/slick.css/wp-content/plugins/learn-manager/assets/css/slick-theme.css/wp-content/plugins/learn-manager/assets/css/prettyPhoto.css+21 more
Script Paths
/wp-content/plugins/learn-manager/assets/js/jquery-ui.min.js/wp-content/plugins/learn-manager/assets/js/chart.min.js/wp-content/plugins/learn-manager/includes/js/jquery.js/wp-content/plugins/learn-manager/includes/js/common.js
Version Parameters
learn-manager/includes/css/style.css?ver=learn-manager/includes/css/custom.css?ver=learn-manager/assets/css/bootstrap.min.css?ver=learn-manager/assets/css/jquery-ui.css?ver=learn-manager/assets/css/font-awesome.min.css?ver=learn-manager/assets/css/slick.css?ver=learn-manager/assets/css/slick-theme.css?ver=learn-manager/assets/css/prettyPhoto.css?ver=learn-manager/assets/css/animate.css?ver=learn-manager/assets/css/responsive.css?ver=learn-manager/assets/css/main.css?ver=learn-manager/assets/css/jssocials.css?ver=learn-manager/assets/css/jssocials-theme-flat.css?ver=learn-manager/assets/js/bootstrap.min.js?ver=learn-manager/assets/js/jquery.easing.1.3.js?ver=learn-manager/assets/js/waypoints.min.js?ver=learn-manager/assets/js/jquery.counterup.min.js?ver=learn-manager/assets/js/slick.min.js?ver=learn-manager/assets/js/owl.carousel.min.js?ver=learn-manager/assets/js/prettyPhoto.js?ver=learn-manager/assets/js/jquery.form.js?ver=learn-manager/assets/js/jquery.validate.min.js?ver=learn-manager/assets/js/custom.js?ver=learn-manager/assets/js/jssocials.min.js?ver=learn-manager/assets/js/jquery-ui.min.js?ver=learn-manager/assets/js/jquery.maskedinput.min.js?ver=learn-manager/assets/js/chart.min.js?ver=learn-manager/includes/js/jquery.js?ver=learn-manager/includes/js/common.js?ver=

HTML / DOM Fingerprints

CSS Classes
jslm_titlejslm_buttonjslm_form_fieldjslm_search_fieldjslm_data_tablejslm_pagination
HTML Comments
<!-- JSLearnManager -->
Data Attributes
data-jslm-actiondata-jslm-id
JS Globals
jslearnmanagerJSLEARNMANAGERrequestJSLEARNMANAGERincluderjslm_admin_paramsjslm_plugin_url
REST Endpoints
/wp-json/jslm/v1/data
FAQ

Frequently Asked Questions about WP Learn Manager