WP-Safety

WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses Security & Risk Analysis

wordpress.org/plugins/wp-courses

WP Courses LMS - Create Courses, Lessons, Quizzes, Profiles and more. Online Courses Builder, eLearning Courses, Courses Solution, Education Courses.

600 active installs v3.2.27 PHP + WP 5.0+ Updated Feb 13, 2026
coursecourseselearninglmsonline-courses
94
A · Safe
CVEs total6
Unpatched0
Last CVEDec 11, 2024
Plugin page Download
Safety Verdict

Is WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses Safe to Use in 2026?

Generally Safe

Score 94/100

WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Dec 11, 2024Updated 1mo ago
Risk Assessment

The "wp-courses" plugin v3.2.27 exhibits a mixed security posture. While it demonstrates good practices like a high percentage of prepared SQL statements and proper output escaping, several areas raise concerns. The presence of the `unserialize` function, even if not directly linked to exploitable taint flows in this analysis, represents a known attack vector that requires careful handling and input validation. The significant number of unsanitized paths identified in the taint analysis (16 out of 29 flows) is a notable weakness, even without critical or high severity flows directly identified. This suggests a potential for vulnerabilities if input is not rigorously sanitized before being used in sensitive operations.

The plugin's vulnerability history is a significant area of concern, with a total of 6 known CVEs, including 3 high and 3 medium severity issues. While there are currently no unpatched CVEs, the pattern of past vulnerabilities, particularly around missing authorization, CSRF, and XSS, indicates a recurring tendency for these types of flaws to be introduced. This history, combined with the taint analysis findings, suggests that the development team may not always prioritize robust input validation and authorization checks, leading to the introduction of exploitable weaknesses.

In conclusion, while the plugin incorporates some strong security practices, the identified taint analysis issues and its history of high and medium severity vulnerabilities necessitate a cautious approach. The potential for unsanitized input and the past prevalence of authorization and XSS flaws are significant risks that users should be aware of. Continued vigilance and thorough security reviews are recommended for this plugin.

Key Concerns

  • Dangerous function 'unserialize' found
  • Taint flows with unsanitized paths found (16/29)
  • High severity vulnerabilities in history (3)
  • Medium severity vulnerabilities in history (3)
  • Bundled outdated library: DataTables v1.11.2
  • Bundled outdated library: Select2
Vulnerabilities
6

WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses Security Vulnerabilities

CVEs by Year

1 CVE in 2020
2020
1 CVE in 2021
2021
3 CVEs in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
3
Medium
3

6 total CVEs

CVE-2024-12172high · 7.5Missing Authorization

WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses <= 3.2.21 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Meta Update

Dec 11, 2024 Patched in 3.2.22 (1d)
WF-1127fe1e-4359-4dff-93a7-392a8bfded51-wp-coursesmedium · 4.3Missing Authorization

WP Courses LMS <= 3.2.3 - Missing Authorization

Nov 14, 2023 Patched in 3.2.4 (70d)
WF-487e23c9-9100-4240-8992-c4c85930c4a6-wp-coursesmedium · 4.3Cross-Site Request Forgery (CSRF)

WP Courses LMS <= 3.2.3 - Cross-Site Request Forgery

Nov 14, 2023 Patched in 3.2.4 (70d)
WF-8a6f7952-cb64-4cff-aae7-0f03692cd95f-wp-courseshigh · 8.8Missing Authorization

WP Courses LMS <= 3.2.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

Nov 14, 2023 Patched in 3.2.4 (70d)
CVE-2021-24621medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Courses LMS < 2.0.44 - Authenticated Stored Cross-Site Scripting

Aug 16, 2021 Patched in 2.0.44 (890d)
CVE-2020-26876high · 7.5Improper Access Control

WP Courses <= 2.0.28 - Improper Access Controls

Sep 28, 2020 Patched in 2.0.29 (1212d)
Code Analysis
Analyzed Mar 16, 2026

WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses Code Analysis

Dangerous Functions
3
Raw SQL Queries
2
71 prepared
Unescaped Output
132
596 escaped
Nonce Checks
48
Capability Checks
38
File Operations
0
External Requests
0
Bundled Libraries
2

Dangerous Functions Found

unserialize$tracking = unserialize( $result->meta_value );legacy\update.php:12
unserializeif(is_array(unserialize($result->meta_value))) {legacy\update.php:99
unserializeforeach(unserialize($result->meta_value) as $teacher_id) {legacy\update.php:100

Bundled Libraries

DataTables1.11.2Select2

SQL Query Safety

97% prepared73 total queries

Output Escaping

82% escaped728 total outputs
Data Flows
16 unsanitized

Data Flow Analysis

25 flows16 with unsanitized paths
lesson (classes\WPC_Ajax_Components.php:47)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses Attack Surface

Entry Points66
Unprotected0

AJAX Handlers 61

authwp_ajax_save_fe_optionadmin\front-end-editor.php:204
authwp_ajax_change_courseajax\ajax-course-change.php:29
authwp_ajax_order_courseajax\ajax-course-order.php:35
authwp_ajax_wpc_change_restrictionajax\ajax-lesson-change-restriction.php:52
authwp_ajax_order_lessonsajax\ajax-lesson-order.php:42
authwp_ajax_add_moduleajax\ajax-lesson-order.php:56
authwp_ajax_delete_moduleajax\ajax-lesson-order.php:84
authwp_ajax_rename_moduleajax\ajax-lesson-order.php:109
authwp_ajax_wpc_submit_deactivation_surveyajax\ajax-survey.php:3
authwp_ajax_wpc_submit_surveyajax\ajax-survey.php:156
authwp_ajax_wpc_update_user_metaajax\ajax-user-meta.php:32
authwp_ajax_add_requirementajax\ajax.php:105
authwp_ajax_delete_requirementajax\ajax.php:205
authwp_ajax_change_requirement_courseajax\ajax.php:289
authwp_ajax_change_requirement_actajax\ajax.php:381
authwp_ajax_change_requirement_typeajax\ajax.php:444
authwp_ajax_change_requirement_timesajax\ajax.php:506
authwp_ajax_change_requirement_percentajax\ajax.php:568
authwp_ajax_change_requirement_lessonajax\ajax.php:633
authwp_ajax_wpcq_save_quiz_results_actionclasses\WPCQ_Ajax.php:26
authwp_ajax_wpcq_save_quiz_actionclasses\WPCQ_Ajax.php:27
authwp_ajax_wpcq_get_quiz_resultclasses\WPCQ_Ajax.php:28
authwp_ajax_wpc_get_quizclasses\WPCQ_Ajax.php:30
noprivwp_ajax_wpc_get_quizclasses\WPCQ_Ajax.php:31
noprivwp_ajax_wpc_toggle_completedclasses\WPC_Ajax.php:15
noprivwp_ajax_wpc_get_awardsclasses\WPC_Ajax.php:16
noprivwp_ajax_wpc_admin_html_lesson_navclasses\WPC_Ajax.php:17
noprivwp_ajax_wpc_submit_commentclasses\WPC_Ajax.php:18
authwp_ajax_wpc_toggle_completedclasses\WPC_Ajax.php:20
authwp_ajax_wpc_get_awardsclasses\WPC_Ajax.php:21
authwp_ajax_wpc_admin_html_lesson_navclasses\WPC_Ajax.php:22
authwp_ajax_wpc_submit_commentclasses\WPC_Ajax.php:23
authwp_ajax_wpc_lesson_toolbarclasses\WPC_Ajax_Components.php:15
authwp_ajax_wpc_lessonclasses\WPC_Ajax_Components.php:16
authwp_ajax_wpc_attachmentsclasses\WPC_Ajax_Components.php:17
authwp_ajax_wpc_lesson_navigationclasses\WPC_Ajax_Components.php:18
authwp_ajax_wpc_course_categoriesclasses\WPC_Ajax_Components.php:19
authwp_ajax_wpc_teacherclasses\WPC_Ajax_Components.php:20
authwp_ajax_wpc_course_toolbarclasses\WPC_Ajax_Components.php:21
authwp_ajax_wpc_courseclasses\WPC_Ajax_Components.php:22
authwp_ajax_wpc_course_archiveclasses\WPC_Ajax_Components.php:23
authwp_ajax_wpc_profile_navclasses\WPC_Ajax_Components.php:24
authwp_ajax_wpc_profile_partclasses\WPC_Ajax_Components.php:25
authwp_ajax_wpc_profile_part_paginationclasses\WPC_Ajax_Components.php:26
authwp_ajax_wpc_login_formclasses\WPC_Ajax_Components.php:27
authwp_ajax_wpc_certificateclasses\WPC_Ajax_Components.php:28
noprivwp_ajax_wpc_lesson_toolbarclasses\WPC_Ajax_Components.php:30
noprivwp_ajax_wpc_lessonclasses\WPC_Ajax_Components.php:31
noprivwp_ajax_wpc_attachmentsclasses\WPC_Ajax_Components.php:32
noprivwp_ajax_wpc_lesson_navigationclasses\WPC_Ajax_Components.php:33
noprivwp_ajax_wpc_course_categoriesclasses\WPC_Ajax_Components.php:34
noprivwp_ajax_wpc_teacherclasses\WPC_Ajax_Components.php:35
noprivwp_ajax_wpc_course_toolbarclasses\WPC_Ajax_Components.php:36
noprivwp_ajax_wpc_courseclasses\WPC_Ajax_Components.php:37
noprivwp_ajax_wpc_course_archiveclasses\WPC_Ajax_Components.php:38
noprivwp_ajax_wpc_profile_navclasses\WPC_Ajax_Components.php:39
noprivwp_ajax_wpc_profile_partclasses\WPC_Ajax_Components.php:40
authwp_ajax_wpc_profile_part_paginationclasses\WPC_Ajax_Components.php:41
noprivwp_ajax_wpc_login_formclasses\WPC_Ajax_Components.php:42
noprivwp_ajax_wpc_certificateclasses\WPC_Ajax_Components.php:43
authwp_ajax_wpc_admin_notice_dismisswp-courses.php:627

Shortcodes 5

[wpc_courses] classes\WPC_Shortcodes.php:10
[courses] classes\WPC_Shortcodes.php:11
[wpc_profile] classes\WPC_Shortcodes.php:12
[lesson_count] classes\WPC_Shortcodes.php:13
[course_count] classes\WPC_Shortcodes.php:14
WordPress Hooks 109
actionadmin_menuadmin\admin-menu.php:3
actionadmin_menuadmin\admin-menu.php:46
actionadmin_footeradmin\admin-menu.php:104
filterparent_fileadmin\admin-menu.php:138
filtermanage_edit-course_columnsadmin\columns.php:3
actionmanage_course_posts_custom_columnadmin\columns.php:16
filtermanage_edit-lesson_columnsadmin\columns.php:69
actionmanage_lesson_posts_custom_columnadmin\columns.php:87
filtermanage_edit-wpc-quiz_columnsadmin\columns.php:115
actionmanage_wpc-quiz_posts_custom_columnadmin\columns.php:128
filtermanage_edit-teacher_columnsadmin\columns.php:153
actionmanage_teacher_posts_custom_columnadmin\columns.php:164
actionadd_meta_boxesadmin\course-meta.php:5
actionadd_meta_boxesadmin\course-meta.php:10
actionadd_meta_boxesadmin\course-meta.php:26
actionadd_meta_boxesadmin\course-meta.php:44
actionsave_postadmin\course-meta.php:234
actionwp_headadmin\front-end-editor.php:185
actionadd_meta_boxesadmin\lesson-meta.php:17
actionsave_postadmin\lesson-meta.php:74
actionadd_meta_boxesadmin\lesson-meta.php:94
actionsave_postadmin\lesson-meta.php:166
actionadd_meta_boxesadmin\lesson-meta.php:185
actionsave_postadmin\lesson-meta.php:240
actionadmin_headadmin\quiz-meta.php:3
actionadd_meta_boxesadmin\quiz-meta.php:34
actionadd_meta_boxesadmin\quiz-meta.php:35
actionsave_postadmin\quiz-meta.php:249
actionadd_meta_boxesadmin\requirements-meta.php:5
actionsave_postadmin\requirements-meta.php:224
actionwidgets_initadmin\widgets.php:174
actionadmin_initadmin\wpc-options.php:121
actionadmin_footerajax\ajax-course-change.php:2
actionadmin_footerajax\ajax-course-order.php:2
actionadmin_footerajax\ajax-survey.php:52
actionadmin_footerajax\ajax-survey.php:163
actionwp_footerajax\ajax-user-meta.php:2
actionadmin_footerajax\ajax.php:3
actionadmin_footerajax\ajax.php:166
actionadmin_footerajax\ajax.php:231
actionadmin_footerajax\ajax.php:348
actionadmin_footerajax\ajax.php:411
actionadmin_footerajax\ajax.php:473
actionadmin_footerajax\ajax.php:535
actionadmin_footerajax\ajax.php:597
actionwp_headclasses\WPCQ_Ajax.php:4
actioninitclasses\WPCQ_Ajax.php:178
actioninitclasses\WPC_Ajax.php:218
actioninitclasses\WPC_Ajax_Components.php:367
actioninitclasses\WPC_Shortcodes.php:109
actionplugins_loadeddb\db-tables.php:42
actioninitdb\db-tables.php:78
actionplugins_loadeddb\db-tables.php:116
actionplugins_loadeddb\db-tables.php:157
actionwp_headfunctions\tracking.php:23
actioninitinit\cp-types.php:43
filterpost_updated_messagesinit\cp-types.php:65
actioninitinit\cp-types.php:109
filterpost_updated_messagesinit\cp-types.php:131
actioninitinit\cp-types.php:177
filterpost_updated_messagesinit\cp-types.php:198
actioninitinit\cp-types.php:241
filterpost_updated_messagesinit\cp-types.php:261
actioninitinit\cp-types.php:303
filterpage_row_actionsinit\cp-types.php:382
filterpost_row_actionsinit\cp-types.php:383
actionwp_print_scriptsinit\enqueue.php:3
actionwp_enqueue_scriptsinit\enqueue.php:38
actionadmin_enqueue_scriptsinit\enqueue.php:74
actionadmin_enqueue_scriptsinit\enqueue.php:183
actionwp_enqueue_scriptsinit\enqueue.php:184
actionwp_headinit\style-options.php:85
actionadmin_headinit\style-options.php:86
actioninitinit\taxonomies.php:4
actioninitinit\taxonomies.php:29
filtertemplate_includeinit\templates.php:7
filtertemplate_includeinit\templates.php:19
filtertemplate_includeinit\templates.php:31
filtertemplate_includeinit\templates.php:43
filtertemplate_includeinit\templates.php:55
filtertemplate_includeinit\templates.php:68
filtertemplate_includeinit\templates.php:82
filterwpc_lesson_contentintegrations\pmpro.php:5
filterwpc_lesson_contentintegrations\woo.php:3
actionwpc_after_course_buttonsintegrations\woo.php:283
actionwpc_after_course_details_buttonintegrations\woo.php:337
actionplugins_loadedwp-courses.php:32
actionadmin_initwp-courses.php:78
actionadmin_noticeswp-courses.php:108
filteret_builder_load_requestswp-courses.php:111
filterpost_type_linkwp-courses.php:142
filterexcerpt_morewp-courses.php:155
actionwp_headwp-courses.php:179
actionwp_footerwp-courses.php:189
actionadmin_footerwp-courses.php:191
actionrestrict_manage_postswp-courses.php:224
actionpre_get_postswp-courses.php:249
filterpre_get_postswp-courses.php:303
actionplugins_loadedwp-courses.php:306
filterrest_prepare_lessonwp-courses.php:330
actionpre_get_postswp-courses.php:333
actionpre_get_postswp-courses.php:369
actionpre_get_postswp-courses.php:405
actionpre_get_postswp-courses.php:441
filterthe_contentwp-courses.php:477
filterthe_contentwp-courses.php:493
actionin_admin_headerwp-courses.php:550
actionadmin_footerwp-courses.php:561
actionadmin_noticeswp-courses.php:580
Maintenance & Trust

WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 13, 2026
PHP min version
Downloads77K

Community Trust

Rating98/100
Number of ratings22
Active installs600
Alternatives

WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses Alternatives

Sensei LMS – Online Courses, Quizzes, & Learning

Sensei LMS – Online Courses, Quizzes, & Learning

sensei-lms

A
97

Create beautiful and engaging online courses, lessons, and quizzes.

10K 7 CVEs
MasterStudy LMS Divi Modules

MasterStudy LMS Divi Modules

masterstudy-lms-divi-modules

A
100

MasterStudy LMS Divi Modules is a deluxe Divi + MasterStudy integration. The harmonious combination of a quality MasterStudy LMS system and one of the &hellip;

300 No CVEs
Element Lesson Timer for Sensei

Element Lesson Timer for Sensei

sensei-lesson-timer

A
85

Lesson Timer for Sensei - a Sensei LMS plugin that adds a countdown timer to the lesson, forcing the learner to stay in the lesson until time expires.

90 No CVEs
Fox LMS – eLearning & Course Builder

Fox LMS – eLearning & Course Builder

fox-lms

A
94

Easily create online courses, lessons, and quizzes for your WordPress LMS website with this simple eLearning plugin for WordPress.

60 1 CVE
Design Upgrade for LearnDash

Design Upgrade for LearnDash

design-upgrade-learndash

A
85

Instantly improve LearnDash's design -- focus mode, course content, profile page, course navigation & course grid -- to more closely match yo &hellip;

7K No CVEs
Developer Profile

WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses Developer Profile

hookandhook

6 plugins · 121K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
478 days
View full developer profile
Detection Fingerprints

How We Detect WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-courses/assets/css/wpc-backend.css/wp-content/plugins/wp-courses/assets/css/wpc-frontend.css/wp-content/plugins/wp-courses/assets/css/wpc-quizzes.css/wp-content/plugins/wp-courses/assets/js/wpc-backend.js/wp-content/plugins/wp-courses/assets/js/wpc-frontend.js/wp-content/plugins/wp-courses/assets/js/wpc-quizzes.js/wp-content/plugins/wp-courses/assets/js/wpc-quizzes-editor.js/wp-content/plugins/wp-courses/assets/js/wpc-editor-addons.js+3 more
Script Paths
/wp-content/plugins/wp-courses/assets/js/wpc-backend.js/wp-content/plugins/wp-courses/assets/js/wpc-frontend.js/wp-content/plugins/wp-courses/assets/js/wpc-quizzes.js/wp-content/plugins/wp-courses/assets/js/wpc-quizzes-editor.js/wp-content/plugins/wp-courses/assets/js/wpc-editor-addons.js/wp-content/plugins/wp-courses/assets/js/wpc-course-builder.js+2 more
Version Parameters
wp-courses/assets/css/wpc-backend.css?ver=wp-courses/assets/css/wpc-frontend.css?ver=wp-courses/assets/css/wpc-quizzes.css?ver=wp-courses/assets/js/wpc-backend.js?ver=wp-courses/assets/js/wpc-frontend.js?ver=wp-courses/assets/js/wpc-quizzes.js?ver=wp-courses/assets/js/wpc-quizzes-editor.js?ver=wp-courses/assets/js/wpc-editor-addons.js?ver=wp-courses/assets/js/wpc-course-builder.js?ver=wp-courses/assets/js/wpc-admin-menu.js?ver=wp-courses/assets/js/wpc-quizzes-editor-components.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpc-right-toggle-sidebarwpc-toggle-sidebar-headerwpc-toggle-sidebarwpc-toggle-sidebar-contentwpc-bottom-toggle-sidebarwpc-bottom-toggle-sidebar-headerwpc-close-bottom-sidebarwpc-toggle-bottom-sidebar-content+11 more
Data Attributes
data-visible
JS Globals
ajaxurl
FAQ

Frequently Asked Questions about WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses