The LearnPress plugin through 3.2.6.8 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter. The “LP Instructor” role grants the “unfiltered_html” capability, allowing an escalated user to insert posts containing malicious JavaScript
It is possible for a remote attacker to elevate the privileges of any user to LP Instructor by sending a request to any location within wp-admin, such as wp-admin/admin-post.php with the action parameter set to accept-to-be-teacher and the user_id parameter set to an arbitrary user ID. This is possible because the learn_press_accept_become_a_teacher function runs on the plugins_loaded action and lacks nonce checks and capability checks.