CVE-2026-4365
Published: 14 April 2026
Summary
CVE-2026-4365 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly mitigating the missing capability and ownership checks in the delete_question_answer function.
Employs least privilege to restrict unauthenticated attackers from executing destructive actions like quiz answer deletion.
Controls access to and use of publicly accessible content such as the exposed wp_rest nonce in lpData and the lp-load-ajax endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated flaw in a public-facing WordPress plugin (LearnPress) that allows crafted requests to delete arbitrary data via an exposed nonce and missing authorization checks, directly enabling T1190 (Exploit Public-Facing Application) for initial exploitation and T1485 (Data Destruction) for the resulting unauthorized deletion impacting integrity and availability.
NVD Description
The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function in all versions up to, and including, 4.3.2.8. The plugin exposes a `wp_rest` nonce in public frontend HTML (`lpData`)…
more
to unauthenticated visitors, and uses that nonce as the only security gate for the `lp-load-ajax` AJAX dispatcher. The `delete_question_answer` action has no capability or ownership check. This makes it possible for unauthenticated attackers to delete any quiz answer option by sending a crafted POST request with a publicly available nonce.
Deeper analysisAI
CVE-2026-4365 is a vulnerability in the LearnPress plugin for WordPress, affecting all versions up to and including 4.3.2.8. It enables unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function. The plugin exposes a `wp_rest` nonce in public frontend HTML via the `lpData` object, making it accessible to unauthenticated visitors. This nonce acts as the only security mechanism for the `lp-load-ajax` AJAX dispatcher, while the `delete_question_answer` action performs no capability or ownership verification.
Unauthenticated attackers can exploit this vulnerability remotely by sending a crafted POST request to the `lp-load-ajax` endpoint, incorporating the publicly available nonce. Successful exploitation allows deletion of any quiz answer option, regardless of ownership. The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating high-impact disruption to data integrity and availability with low complexity and no required privileges.
Advisories reference specific code locations in the plugin, including line 33 of `AbstractAjax.php` for AJAX handling, line 285 of `EditQuestionAjax.php` for the vulnerable function, and line 177 of `class-lp-assets.php` for nonce exposure in frontend assets. The Wordfence threat intelligence page details the vulnerability under ID 021bd566-1663-46ba-a616-ab554b691cbb.
Details
- CWE(s)