CVE-2022-3360: Remote Code Execution Vulnerability in LearnPress WordPress Plugin, Exploit Details & Mitigation

WordPress is one of the most popular content management systems (CMS) powering millions of websites globally. Plugins like LearnPress are used by thousands of website owners to create and manage online courses. However, a critical vulnerability has been identified in the LearnPress plugin, which affects versions before 4.1.7.2. This vulnerability could potentially lead to PHP Object Injection and Remote Code Execution (RCE), giving attackers the ability to execute arbitrary code on the target server.

CVE-2022-3360: Vulnerability Details

The vulnerability in version 4.1.7.1 of the LearnPress plugin stems from the unsafe handling of user input in a REST API endpoint. This REST API endpoint can be accessed by unauthenticated users, meaning attackers do not need to log in to exploit this vulnerability.

To exploit this vulnerability, an attacker would need knowledge of the site's secret keys and salts to generate a valid hash using the wp_hash() function. This knowledge would allow them to craft a malicious serialized PHP object, which, when unserialized, would trigger the injection and ultimately lead to RCE.

Here is a sample of the vulnerable code found in the file /lp/includes/admin/assets/webhooks.php

$data = wp_verify_nonce( $_REQUEST['nonce_async_webhooks'], 'nonce_async_webhooks' );
if ( $data_nonce === 1 ) {
    $events = maybe_unserialize(base64_decode($_REQUEST['events']));
    ...
}

As seen above, the $events variable is unserialized without validating the input, opening the door for attackers to exploit PHP Object Injection.

Exploit Details

An attacker could create a malicious PHP object and encode it using the base64 algorithm. They would then access the vulnerable REST API endpoint and pass this base64 encoded object as a parameter along with a valid hash generated from the site's secret keys. When the server receives these parameters, it unserializes the data, leading to PHP Object Injection, eventually allowing the attacker to execute arbitrary code on the target server.

To protect your WordPress website against this vulnerability, follow these mitigation steps

1. Update the LearnPress plugin to version 4.1.7.2 or later. If you are using a previous version of the plugin, upgrade immediately to patch the vulnerability:

Find "LearnPress" in the plugin list and click "Update Now."

2. Regularly review your WordPress installation, including themes, plugins, and core files, for updates and patch as necessary.

3. Utilize strong and unique secret keys and salts for your WordPress installation. You can leverage the WordPress secret key generator (https://api.wordpress.org/secret-key/1.1/salt/) to obtain new values.

Conclusion

In conclusion, CVE-2022-3360 is a severe vulnerability that could allow attackers to execute arbitrary code on the target server, compromising the website's integrity and potentially gaining access to sensitive data. By following the above mitigation steps and remaining vigilant in maintaining your WordPress site, you can help protect against these types of security threats.

Timeline

Published on: 10/31/2022 16:15:00 UTC
Last modified on: 11/01/2022 13:56:00 UTC