How is CVE-2026-48865 exploited?

Network reachability (required): The attacker must be able to reach the WordPress site over the network to deliver the crafted URL to a victim. Authentication (not-required): No account or credentials are needed; the attacker sends a malicious link that any unauthenticated user can trigger. Victim interaction (required): A victim must click the attacker-supplied link or otherwise load the crafted URL in their browser for the payload to execute. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental setup beyond delivering the malicious URL.

What is the impact of CVE-2026-48865?

The attacker's injected script runs in the victim's browser session and can read session cookies, potentially hijacking the victim's authenticated WordPress account. Page content can be modified in the victim's browser, enabling phishing overlays or redirection to attacker-controlled sites. The script can issue requests on behalf of the victim inside the application, such as enrolling in courses, modifying profile data, or performing any action the victim is authorized to take. Confidentiality, integrity, and availability are each impacted at a limited scope within the victim's browser context, scoped to the affected WordPress application.

Back to search

HIGHCVE-2026-48865Published 2026-06-01Modified 2026-06-01CNA Patchstack

CVE-2026-48865: WordPress LearnPress plugin <= 4.3.6 - Reflected Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-48865?

Reflected cross-site scripting (XSS) in the ThimPress LearnPress WordPress plugin (versions up to and including 4.3.6) allows a remote, unauthenticated attacker to inject malicious JavaScript into a victim's browser by tricking them into clicking a crafted link. The vulnerability is reachable over the network and requires no authentication, but does require the victim to interact with a malicious URL. Successful exploitation lets the attacker read session cookies, inject content into the page, or perform actions in the application on the victim's behalf. No fix version has been published; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-48865 patched?

Because no fix version has been published for LearnPress, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as network-isolation rules or flagging any image containing the affected plugin as non-deployable until a patch lands.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress allows Reflected XSS. This issue affects LearnPress: from n/a through 4.3.6.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Reflected cross-site scripting (XSS) in the ThimPress LearnPress WordPress plugin (versions up to and including 4.3.6) allows a remote, unauthenticated attacker to inject malicious JavaScript into a victim's browser by tricking them into clicking a crafted link. The vulnerability is reachable over the network and requires no authentication, but does require the victim to interact with a malicious URL. Successful exploitation lets the attacker read session cookies, inject content into the page, or perform actions in the application on the victim's behalf. No fix version has been published; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle the LearnPress plugin.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 7.1 (HIGH) and weights it against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published for LearnPress, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as network-isolation rules or flagging any image containing the affected plugin as non-deployable until a patch lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the WordPress site over the network to deliver the crafted URL to a victim.
AuthenticationNot required
No account or credentials are needed; the attacker sends a malicious link that any unauthenticated user can trigger.
Victim interactionRequired
A victim must click the attacker-supplied link or otherwise load the crafted URL in their browser for the payload to execute.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental setup beyond delivering the malicious URL.

Blast Radius

The attacker's injected script runs in the victim's browser session and can read session cookies, potentially hijacking the victim's authenticated WordPress account.
Page content can be modified in the victim's browser, enabling phishing overlays or redirection to attacker-controlled sites.
The script can issue requests on behalf of the victim inside the application, such as enrolling in courses, modifying profile data, or performing any action the victim is authorized to take.
Confidentiality, integrity, and availability are each impacted at a limited scope within the victim's browser context, scoped to the affected WordPress application.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for LearnPress versions up to and including 4.3.6, the platform monitors the Patchstack advisory on every ingest cycle and will trigger an automatic patched-image rebuild the moment a fix version is published. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads with no manual intervention required. While awaiting a patch, HarborGuard's policy engine can be configured to flag any image bundling an affected version of LearnPress as non-deployable, apply network-policy isolation to limit exposure, or route an alert to the relevant team for manual review. Where compliance policy permits, these compensating controls can be enforced automatically across all affected images in the customer's registry.

See how HarborGuard automates this

Affected packages

ThimPress / LearnPress
≤ 4.3.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified