LearnPress is a learning management system (LMS) plugin that allows WordPress websites to easily create online courses, lessons, quizzes, and tests. It provides website visitors with a user-friendly interface and does not require programming knowledge from the developer.
Vulnerabilities in a plugin used by over 100,000 active sites were discovered by PatchStack between November 30 and December 2, 2022 and brought to the attention of the software vendor.
The issues were fixed on December 20, 2022 with the release of LearnPress version 4.2.0. However, according to WordPress.org statistics, only 25% of users have updated the plugin to the latest version. This means that approximately 75,000 websites are still using the vulnerable version of LearnPress and are vulnerable to malicious attacks.
The first vulnerability discovered by PatchStack was CVE-2022-47615, a non-authenticated local file inclusion (LFI) vulnerability that allows hackers to display the contents of local files stored on a web server. This can expose credentials, authorization tokens, and API keys, leading to further compromise.
The vulnerability was discovered in a piece of code that handles API requests for a website, located in the list_courses function, which does not validate properly defined variables ($template_pagination_path, $template_path and $template_path_item).
The second critical vulnerability, CVE-2022-45808, is an unauthenticated SQL injection that can lead to the disclosure of sensitive information, data modification, and arbitrary code execution.
The vulnerability lies in the handling of SQL queries for a website that incorrectly cleans and validates the "$filter" variable in query parameters, allowing an attacker to inject malicious code into it.
The third vulnerability affecting older versions of LearnPress is CVE-2022-45820 - Authenticated SQL Injection Error in two plugin shortcodes ("learn_press_recent_courses" and "learn_press_featured_courses") preventing proper validation and sanitization of the "$args" variable input".
PatchStack representatives have already provided a PoC exploit demonstrating how the user “Contributor” can initiate a SQL injection using a specially crafted shortcode in a draft post. Only users with the ability to edit or create a new blog entry can implement the vulnerability, which limits the risk of exploitation.
The LearnPress developers in the latest update whitelisted and cleaned up vulnerable variables by removing the ability to include templates in user input. Website owners using LearnPress are advised to either upgrade to version 4.2.0 or temporarily disable the plugin until they can apply an available security update.