Search Results (118 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-31241 1 Thimpress 1 Learnpress 2026-04-28 7.6 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThimPress LearnPress Export Import.This issue affects LearnPress Export Import: from n/a through 4.0.3.
CVE-2024-30508 1 Thimpress 1 Wp Hotel Booking 2026-04-28 6.5 Medium
Missing Authorization vulnerability in ThimPress WP Hotel Booking.This issue affects WP Hotel Booking: from n/a through 2.0.9.2.
CVE-2023-30487 1 Thimpress 1 Learnpress 2026-04-28 7.1 High
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ThimPress LearnPress Export Import plugin <= 4.0.2 versions.
CVE-2025-60200 2 Thimpress, Wordpress 2 Learnpress Export Import, Wordpress 2026-04-27 7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress LearnPress Export Import learnpress-import-export allows PHP Local File Inclusion.This issue affects LearnPress Export Import: from n/a through <= 4.1.2.
CVE-2025-63011 2 Thimpress, Wordpress 2 Wp Hotel Booking, Wordpress 2026-04-24 5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows DOM-Based XSS.This issue affects WP Hotel Booking: from n/a through <= 2.2.8.
CVE-2025-63012 2 Thimpress, Wordpress 2 Wp Hotel Booking, Wordpress 2026-04-24 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Cross Site Request Forgery.This issue affects WP Hotel Booking: from n/a through <= 2.2.8.
CVE-2025-63013 2 Thimpress, Wordpress 2 Wp Hotel Booking, Wordpress 2026-04-24 4.3 Medium
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Retrieve Embedded Sensitive Data.This issue affects WP Hotel Booking: from n/a through <= 2.2.7.
CVE-2025-66054 2 Thimpress, Wordpress 2 Learnpress, Wordpress 2026-04-24 7.5 High
Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through <= 4.2.9.4.
CVE-2026-3225 2 Thimpress, Wordpress 2 Learnpress – Wordpress Lms Plugin For Create And Sell Online Courses, Wordpress 2026-04-24 4.3 Medium
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized deletion of quiz question answers due to a missing capability check in the delete_question_answer() function of the EditQuestionAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check, and the QuestionAnswerModel::delete() method only validates minimum answer counts without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete answer options from any quiz question on the site.
CVE-2026-27065 2 Thimpress, Wordpress 2 Builderpress, Wordpress 2026-04-23 9.8 Critical
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through <= 2.0.1.
CVE-2025-67594 3 Elementor, Thimpress, Wordpress 3 Elementor, Thim Elementor Kit, Wordpress 2026-04-23 4.3 Medium
Authorization Bypass Through User-Controlled Key vulnerability in ThimPress Thim Elementor Kit thim-elementor-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thim Elementor Kit: from n/a through <= 1.3.3.
CVE-2025-60227 2 Thimpress, Wordpress 2 Wp Pipes, Wordpress 2026-04-23 8.6 High
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress WP Pipes wp-pipes allows Path Traversal.This issue affects WP Pipes: from n/a through <= 1.4.3.
CVE-2025-57987 2 Thimpress, Wordpress 2 Wp Events Manager, Wordpress 2026-04-23 5.3 Medium
Missing Authorization vulnerability in ThimPress WP Events Manager wp-events-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Events Manager: from n/a through <= 2.2.1.
CVE-2025-47448 1 Thimpress 1 Wp Hotel Booking 2026-04-23 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Cross Site Request Forgery.This issue affects WP Hotel Booking: from n/a through <= 2.1.9.
CVE-2025-39460 1 Thimpress 1 Eduma 2026-04-23 5.3 Medium
Missing Authorization vulnerability in ThimPress Eduma eduma allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eduma: from n/a through <= 5.6.4.
CVE-2025-24740 2 Thimpress, Wordpress 2 Learnpress, Wordpress 2026-04-23 4.7 Medium
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in ThimPress LearnPress learnpress.This issue affects LearnPress: from n/a through <= 4.2.7.1.
CVE-2025-22739 2 Thimpress, Wordpress 2 Learnpress, Wordpress 2026-04-23 5.3 Medium
Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through <= 4.2.7.5.
CVE-2024-51582 1 Thimpress 1 Wp Hotel Booking 2026-04-23 7.5 High
Path Traversal: '.../...//' vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows PHP Local File Inclusion.This issue affects WP Hotel Booking: from n/a through <= 2.2.9.
CVE-2026-3226 2 Thimpress, Wordpress 2 Learnpress – Wordpress Lms Plugin For Create And Sell Online Courses, Wordpress 2026-04-22 4.3 Medium
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized email notification triggering due to missing capability checks on all 10 functions in the SendEmailAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check before dispatching to handler functions. The wp_rest nonce is embedded in the frontend JavaScript for all authenticated users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger arbitrary email notifications to admins, instructors, and users, enabling email flooding, social engineering, and impersonation of admin decisions regarding instructor requests.
CVE-2026-1870 2 Thimpress, Wordpress 2 Thim Kit For Elementor – Pre-built Templates & Widgets For Elementor, Wordpress 2026-04-22 5.3 Medium
The Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing validation checks on the 'thim-ekit/archive-course/get-courses' REST endpoint callback function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to disclose private or draft LearnPress course content by supplying post_status in the params_url payload.