CVE-2026-8383 | THREATINT

Description

The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request

PUBLISHED Reserved 2026-05-12 | Published 2026-06-17 | Updated 2026-06-17 | Assigner WPScan

Problem types

CWE-862 Missing Authorization

Product status

Default status

unaffected

Any version before 4.3.7

affected

Credits

dyingman1 finder

WPScan coordinator

References

wpscan.com/...rability/b7cbf68b-62c5-4787-b84b-69df9e0122b2/ exploit vdb-entry technical-description

cve.org (CVE-2026-8383)

nvd.nist.gov (CVE-2026-8383)

Download JSON