Cyber Resilience

CVE-2026-3226

Medium

Published: 12 March 2026

Published
12 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0020 9.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3226 is a medium-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Impersonation (T1684.001); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized email notification triggering due to missing capability checks on all 10 functions in the SendEmailAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher…

more

verifies a wp_rest nonce but performs no current_user_can() check before dispatching to handler functions. The wp_rest nonce is embedded in the frontend JavaScript for all authenticated users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger arbitrary email notifications to admins, instructors, and users, enabling email flooding, social engineering, and impersonation of admin decisions regarding instructor requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1684.001 Impersonation Stealth
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
T1667 Email Bombing Impact
Adversaries may flood targeted email addresses with an overwhelming volume of messages.
Why these techniques?

Missing authorization on email dispatch functions directly enables authenticated attackers to trigger arbitrary notifications, facilitating email flooding (T1667) and impersonation via forged admin messages (T1656).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-862

Requiring an access control policy ensures authorization checks are defined and applied for critical functions.

addresses: CWE-862

Reviews of access controls detect missing authorization checks on critical functions or resources.

addresses: CWE-862

Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.

addresses: CWE-862

Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.

addresses: CWE-862

Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.

addresses: CWE-862

Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.

addresses: CWE-862

The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.

addresses: CWE-862

Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.

References