Several critical vulnerabilities were discovered in the LearnPress online course plugin, including those related to SQL injection before authentication and including local files. The plugin is used by more than 100,000 WordPress sites, and only 25% of resource owners have installed patches so far.
LearnPress is an LMS plugin that allows WordPress sites to create and sell online courses, lessons, and quizzes, offering a user-friendly interface without requiring site administrators to know programming and development.
Vulnerabilities in LearnPress were discovered by experts PatchStack between November 30 and December 2, 2022, of which the researchers immediately notified the developers of the plugin. The issues were fixed on December 20, 2022 with the release of LearnPress 4.2.0, however, according to statistics WordPress.org, so far only 25% of the total number of sites have installed fixes. That is, approximately 75,000 resources are still using vulnerable versions of LearnPress, exposing them to serious risks.
The first vulnerability discovered by PatchStack experts was CVE-2022-47615, a local file inclusion bug without authentication that allows attackers to see the contents of local files stored on a web server. This bug can expose credentials, auth tokens, and API keys, leading to further compromise.
The second critical bug (CVE-2022-45808) is an unauthenticated SQL injection that can lead to the disclosure of sensitive information, data modification, and arbitrary code execution. The vulnerability is related to a function that processes the site’s SQL queries; it incorrectly cleans and validates the $filter variable in query parameters, which allows an attacker to inject malicious code into it.
SQL Injection Demonstration Exploit
The third vulnerability affecting older versions of LearnPress is CVE-2022-45820. This is another SQL injection (this time after authentication) found in two plugin shortcodes (learn_press_recent_courses and learn_press_featured_courses). The bug does not allow to properly check and clear the input of the $args variable.
Fortunately, exploitation of this vulnerability is limited by the fact that an attacker must have the rights to edit or create new blog entries in order to carry out an attack.
All site owners using LearnPress are advised to upgrade to version 4.2.0 as soon as possible, or disable the plugin altogether until they can install the patch.