Multiple critical vulnerabilities in LearnPress WordPress plugin have been addressed after the developer released security updates. LearnPress is a WordPress learning management system (LMS) plugin used by over 100K active installs on the official WordPress repository.
The plugin is popular for creating and selling courses online. With LearnPress, users can create a course curriculum with lessons & quizzes targeting ideal for schools with online teaching and course portals.
The vulnerabilities were discovered by PatchStack between November 30 and December 2, 2022. The vulnerabilities are:
- CVE-2022-47615: An unauthenticated local file inclusion vulnerability could allow an attacker to display contents of local files stored on the web server, potentially exposing credentials, authorisation tokens, and API keys.
- CVE-2022-45808: An unauthenticated SQL injection vulnerability could allow an attacker to insert malicious code, potentially leading to sensitive information disclosure, data modification, and arbitrary code execution.
- CVE-2022-45820: An authenticated SQL injection vulnerability could allow an attacker to insert malicious code, potentially leading to sensitive information disclosure, data modification, and arbitrary code execution.
The vulnerabilities are now fixed and users and administrators of LearnPress are advised to upgrade to version 4.2.0 immediately.
Found this article interesting? Follow Brightwhiz on Facebook, Twitter, and YouTube to read and watch more content we post.