[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fC_pZ8ECQh_3dUH0f26zirlr1U0L7EtqshahXi-jqD5A":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-48865","learnpress-wordpress-lms-plugin-for-create-and-sell-online-courses-reflected-cross-site-scripting","LearnPress – WordPress LMS Plugin for Create and Sell Online Courses \u003C= 4.3.6 - Reflected Cross-Site Scripting","The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.3.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","learnpress",null,"\u003C=4.3.6","4.3.7","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-01 00:00:00","2026-06-01 16:18:04",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2e78bcfd-9764-49ae-9cac-cbc5419a0aa5?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fadmin\u002Fadmin-rtl.css","assets\u002Fcss\u002Fadmin\u002Fadmin-rtl.min.css","assets\u002Fcss\u002Fadmin\u002Fadmin.css","assets\u002Fcss\u002Fadmin\u002Fadmin.min.css","assets\u002Fcss\u002Fcourse-builder-rtl.css","assets\u002Fcss\u002Fcourse-builder-rtl.min.css","assets\u002Fcss\u002Fcourse-builder.css","assets\u002Fcss\u002Fcourse-builder.min.css","researched",false,3,"This exploitation research plan targets **CVE-2026-48865**, a reflected Cross-Site Scripting (XSS) vulnerability in the LearnPress plugin for WordPress.\n\n---\n\n# Exploitation Research Plan: CVE-2026-48865 (LearnPress Reflected XSS)\n\n## 1. Vulnerability Summary\nThe LearnPress plugin (\u003C= 4.3.6) fails to adequately sanitize and escape user-supplied input before reflecting it on the page. Specifically, parameters used in course searching, filtering, or pagination on the course archive page are echoed back into the HTML document. This allows an unauthenticated attacker to execute arbitrary JavaScript in the context of the victim's browser session.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint**: Course Archive Page (typically `\u002Fcourses\u002F` or `?post_type=lp_course`).\n*   **Vulnerable Parameter**: `lp-s` (Search parameter) or `orderby` (Sorting parameter).\n*   **Authentication**: Unauthenticated (None).\n*   **Preconditions**: The plugin must be active. For the payload to be most effective, a course archive page should exist.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point**: A user navigates to a URL containing the `lp-s` parameter (e.g., `example.com\u002Fcourses\u002F?lp-s=payload`).\n2.  **Processing**: The plugin's core logic (likely in `inc\u002Flp-template-functions.php` or `inc\u002Fclass-lp-query.php`) retrieves the search string from `$_GET['lp-s']`.\n3.  **Reflection**: The search term is passed to the archive template (e.g., `templates\u002Farchive-course.php`) to display a \"Search results for: [term]\" message.\n4.  **Sink**: The value is echoed directly or via a wrapper like `learn_press_get_template()` without passing through `esc_html()` or `esc_attr()`. Based on the provided CSS, the output likely resides within a `.learn-press-message` or search box container.\n\n## 4. Nonce Acquisition Strategy\nReflected XSS in a standard GET request typically **does not require a nonce**, as the vulnerability exists in the initial page render. However, if the reflection occurs via the LearnPress AJAX search (identified by `lp-tom-select` in the CSS), a nonce might be required.\n\n**Strategy for AJAX Nonce (if needed):**\n1.  **Identify Trigger**: The AJAX search is often triggered on pages containing the `[learn_press_recent_courses]` shortcode or the default course archive.\n2.  **Setup**: Create a page with the shortcode:\n    ```bash\n    wp post create --post_type=page --post_title=\"Courses\" --post_status=publish --post_content='[learn_press_recent_courses]'\n    ```\n3.  **Extraction**: Navigate to the page and extract the nonce from the `lpGlobalSettings` object:\n    *   **JS Variable**: `window.lpGlobalSettings`\n    *   **Nonce Key**: `nonce`\n    *   **Command**: `browser_eval(\"window.lpGlobalSettings?.nonce\")`\n\n## 5. Exploitation Strategy\nWe will test reflection in the search parameter on the main course archive.\n\n*   **Endpoint**: `\u002F` (WordPress Root)\n*   **Method**: `GET`\n*   **Payload**: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n*   **Target URL**: `http:\u002F\u002Flocalhost:8080\u002F?post_type=lp_course&lp-s=%22%3E%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E`\n\n**Step-by-Step Plan:**\n1.  **Discovery**: Find the course archive URL.\n2.  **Request**: Use `http_request` to send the payload.\n3.  **Analysis**: Check the response body for the unescaped script tag.\n4.  **DOM Verification**: Use `browser_navigate` to confirm the script executes (triggering a dialog or modifying a DOM property).\n\n## 6. Test Data Setup\n1.  **Install Plugin**: Ensure LearnPress 4.3.6 is installed.\n2.  **Create Content**: Create at least one course to ensure the archive page renders correctly.\n    ```bash\n    wp post create --post_type=lp_course --post_title=\"Security Testing 101\" --post_status=publish\n    ```\n3.  **Permalinks**: Flush rewrite rules to ensure the `\u002Fcourses\u002F` slug works if configured.\n    ```bash\n    wp rewrite structure '\u002F%postname%\u002F' --hard\n    wp rewrite flush --hard\n    ```\n\n## 7. Expected Results\n*   The HTTP response should contain the literal string: `value=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"` or `Results for: \">\u003Cscript>...`.\n*   If testing via a browser, the `alert` dialog should appear.\n*   The script should not be neutralized as `&lt;script&gt;`.\n\n## 8. Verification Steps\nAfter the exploit attempt, verify the reflection point in the page source:\n```bash\n# Using http_request and searching for the canary\n# If the payload is \u003Cscript>alert(1337)\u003C\u002Fscript>\ngrep \"alert(1337)\" response_body.txt\n```\n\n## 9. Alternative Approaches\nIf `lp-s` is sanitized, try these alternative parameters:\n*   **`orderby`**: `?post_type=lp_course&orderby=price\">\u003Cscript>alert(1)\u003C\u002Fscript>`\n*   **`paged`**: `?post_type=lp_course&paged=1\u003Cscript>alert(1)\u003C\u002Fscript>`\n*   **AJAX Reflection**: Use `http_request` to call `admin-ajax.php` with `action=lp_course_search` and the payload in the `term` or `s` parameter, checking for unescaped JSON output.","The LearnPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to and including 4.3.6. This is due to the plugin failing to sufficiently sanitize and escape user-supplied input in parameters such as 'lp-s' and 'orderby' before echoing them back on the course archive page, allowing attackers to execute arbitrary JavaScript in a victim's browser.","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flearnpress\u002F4.3.6\u002Fassets\u002Fcss\u002Fadmin\u002Fadmin.css\t2026-05-03 17:09:04.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flearnpress\u002F4.3.7\u002Fassets\u002Fcss\u002Fadmin\u002Fadmin.css\t2026-05-23 18:20:54.000000000 +0000\n@@ -695,7 +695,7 @@\n \n @font-face {\n   font-family: \"lp-icon\";\n-  src: url(\"..\u002F..\u002Fsrc\u002Fcss\u002Fvendor\u002Ffonts\u002Flp-icon\u002Flp-icon.woff2?v=166\") format(\"woff2\");\n+  src: url(\"..\u002F..\u002Fsrc\u002Fcss\u002Fvendor\u002Ffonts\u002Flp-icon\u002Flp-icon.woff2?v=190\") format(\"woff2\");\n   font-weight: normal;\n   font-style: normal;\n   font-display: swap;\n@@ -1946,11 +1946,8 @@\n   margin-right: 5px;\n   font-variant: normal;\n   text-transform: none;\n-  line-height: 1;\n   -webkit-font-smoothing: antialiased;\n   -moz-osx-font-smoothing: grayscale;\n-  vertical-align: middle;\n-  margin-top: -2px;\n }\n \n #wpfooter {\n@@ -4406,11 +4403,11 @@\n   background: #eee;\n }\n .post-type-lp_order #order_details .order-data-date .order-date {\n-  width: 120px;\n+  width: 130px;\n }\n .post-type-lp_order #order_details .order-data-date .order-hour,\n .post-type-lp_order #order_details .order-data-date .order-minute {\n-  width: 50px;\n+  width: 60px;\n }\n .post-type-lp_order #order_details .order-data-note {\n   display: inline-block;\n@@ -7426,11 +7423,8 @@\n   margin-right: 5px;\n   font-variant: normal;\n   text-transform: none;\n-  line-height: 1;\n   -webkit-font-smoothing: antialiased;\n   -moz-osx-font-smoothing: grayscale;\n-  vertical-align: middle;\n-  margin-top: -2px;\n }","An unauthenticated attacker can exploit this vulnerability by crafting a URL targeting the course archive page (typically located at \u002Fcourses\u002F or reachable via ?post_type=lp_course). The attacker injects a malicious JavaScript payload into the 'lp-s' (search) or 'orderby' (sorting) GET parameters, such as: ?lp-s=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>. When a victim visits this URL, the search term is reflected back into the HTML without escaping, causing the browser to execute the arbitrary script in the context of the victim's session.","gemini-3-flash-preview","2026-06-04 14:52:35","2026-06-04 14:53:36",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","4.3.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flearnpress\u002Ftags\u002F4.3.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flearnpress.4.3.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flearnpress\u002Ftags\u002F4.3.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flearnpress.4.3.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flearnpress\u002Ftags"]