Critical Update: Stored XSS in LearnPress (≤ 4.3.1) — What WordPress Site Owners Must Do Now

Date: 16 Dec, 2025  |  Severity: Medium (CVSS 6.5)  |  Affected versions: LearnPress ≤ 4.3.1  |  Fixed in: LearnPress 4.3.2  |  Reported by: Arkadiusz Hydzik

Summary (Hong Kong security expert voice): a stored Cross‑Site Scripting (XSS) issue affecting LearnPress up to version 4.3.1 has been assigned CVE‑2025‑14387. The vulnerability allows an authenticated low‑privileged user (commonly Subscriber) to save JavaScript into profile fields that are later rendered without proper escaping, enabling persistent XSS. Organisations operating LearnPress — particularly learning platforms with student or instructor profiles — should treat this as a high‑priority operational security task: apply the vendor patch and perform targeted scans and containment.

Executive summary (quick read)

• What: Stored XSS in LearnPress where profile/social fields can persist malicious JavaScript (endpoint: get_profile_social).
• Who it affects: Sites running LearnPress ≤ 4.3.1 that allow low‑privilege users to edit profile/social fields.
• Impact: Persistent XSS. Injected scripts may run in other users’ browsers (including administrators), enabling session theft, unauthorized actions, redirects, and secondary payloads.
• Fix: Update LearnPress to 4.3.2 or later immediately.
• Interim mitigation: Apply virtual patching/WAF rules, restrict profile editing for low‑privilege roles, and scan usermeta/plugin tables for suspicious content.

Nature of the vulnerability

The issue is a stored (persistent) Cross‑Site Scripting flaw caused by inadequate sanitisation and missing output escaping on user profile input. An authenticated user with Subscriber capabilities can submit payloads to a server endpoint (reported as get_profile_social), which are stored and later rendered into pages without sufficient encoding.

Key technical points

• Type: Stored XSS — the payload is saved in the database.
• Prerequisites for attacker: An authenticated account with Subscriber (or equivalent) privileges — no admin access required.
• Criticality depends on rendering context: if stored fields are displayed in admin pages or to other privileged users, impact rises.
• Vendor response: patched in LearnPress 4.3.2 — update as the primary remediation.

Why stored XSS is dangerous for WordPress sites

Stored XSS is particularly harmful within the WordPress ecosystem because profile data is often rendered in multiple contexts. Consequences may include:

• Session theft and account takeover via cookie or token exfiltration.
• Persistent delivery of malicious scripts (malware, phishing, redirects).
• Actions executed in the context of authenticated users (privilege escalation via forced requests).
• Brand, reputation and SEO damage from injected content.
• Downstream/supply‑chain risk when the site integrates with external systems (SSO, payments, LMS connectors).

High‑level technical details (non‑exploitative)

• Vector: Authenticated POST requests to profile/social endpoints that accept and store user content.
• Root cause: Missing input validation and inadequate output escaping when rendering stored values.
• Required privilege: Subscriber or similar low‑privilege role.
• Remediation: Update LearnPress to 4.3.2 where the vendor corrects input/output handling.

Immediate actions every site owner should take (priority order)

If your site runs LearnPress and allows user registration or profile editing, perform these actions promptly.

1. Update LearnPress to 4.3.2 or later
   This is the definitive fix. Apply the update via WordPress admin, CLI, or your deployment pipeline. If you rely on a staging/testing workflow, prioritise a rapid test-and-deploy cycle.
2. Apply virtual patching / WAF rules where available
   If you have a web application firewall or similar edge protection, deploy temporary rules to block POSTs that include obvious script-like payloads (e.g.,
   Review My Order

   0

   Subtotal

   Taxes & shipping calculated at checkout

   Checkout