Multiple vulnerabilities have been discovered in the WordPress online course plugin LearnPress. The vulnerabilities are being tracked as CVE-2022-45820, CVE-2022-45808, and CVE-2022-47615. These vulnerabilities could allow attackers to insert malicious code, potentially leading to sensitive information disclosure, data modification, and arbitrary code execution. PatchStack discovered the vulnerability.
LearnPress is a comprehensive, free-to-use learning management system (LMS) plugin for WordPress. This plugin creates a course curriculum with lessons and quizzes that can be managed with an easy-to-use user interface. The plugin helps to quickly and easily create education, online school, and online-course websites without the requirement of coding knowledge.
According to WordPress, the LMS plugin has over 100,000 active installations, of which only 31.5% use the patched version 4.2. This makes many installations vulnerable to critical severity security flaws.
Vulnerability Description and Analysis
Unauthenticated Local File Inclusion Vulnerability (CVE-2022-47615)
The local file inclusion vulnerability exploits the dynamic file inclusion mechanisms implemented in the target application. An unauthenticated malicious actor might use the vulnerability to incorporate local files from the target website and show the output on the screen. Credential storing files, such as database credentials, may contribute to a total database takeover.
The list_courses function under inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php is responsible for the vulnerability. The function handles API requests to lp/v1/courses/archive-course. An unauthenticated user may be able to control and achieve LFI with the variables mentioned below:
Unauthenticated SQL Injection Vulnerability (CVE-2022-45808)
The SQL injection vulnerability allows an attacker to interfere with an application’s database queries and may allow an attacker to view confidential data. The vulnerability could give a malicious actor direct access to the user database, allowing them to steal data and set up new administrator accounts.
The execute function under vulnerable code inc/databases/class-lp-db.php is responsible for the vulnerability. This function is called in the REST API process flow for handling the SQL queries for the website. The first parameter accepted by the execute function is LP_Filter $filter.
Function does not correctly sanitize and validate the query parameter $filter variable, triggering the SQL command injection flaw.
Authenticated SQL Injection Vulnerability (CVE-2022-45820)
The authenticated SQL injection vulnerability in the LearnPress plugin may allow an attacker to insert malicious code, potentially leading to sensitive information disclosure, data modification, and arbitrary code execution. An attacker needs to have authentication to exploit this vulnerability.
The vulnerability exists in the two shortcodes of the LMS plugin learn_press_recent_courses and learn_press_featured_courses. These shortcodes are handled by inc/curds/class-lp-course-curd.php code. An attacker can control the value of $args from the shortcode declaration to trigger SQL Injection.
LearnPress Plugin versions before and including 184.108.40.206.2 are affected by these vulnerabilities.
Customers are requested to upgrade to the LearnPress Plugin 4.2.0 or later to mitigate this vulnerability. For more information about the mitigation, please refer to WordPress Security Advisory.
Qualys customers can scan their devices with QID 730709 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.