CVE-2024-8522 - LearnPress WordPress LMS Plugin Vulnerable to SQL Injection via 'c_only_fields' Parameter in REST API Endpoint

LearnPress is a popular WordPress LMS (Learning Management System) plugin. It enables users to create and sell their courses online through a WordPress-based platform. However, a concerning vulnerability has been discovered in the plugin, affecting versions up to, and including, 4.2.7.

The vulnerability (CVE-2024-8522) may allow unauthenticated attackers to perform SQL injection via the 'c_only_fields' parameter of the '/wp-json/learnpress/v1/courses' REST API endpoint. This security flaw arises due to insufficient escaping on the user-supplied parameter and lack of sufficient SQL preparation on the existing query.

Exploit Details

The specific vulnerability exploitation revolves around the 'c_only_fields' parameter found in the '/wp-json/learnpress/v1/courses' REST API endpoint. An attacker can submit a specially crafted request to this endpoint, which can append additional SQL queries into the existing one. Consequently, this manipulation can be utilized to extract sensitive information from the database.

Here's a code snippet demonstrating the vulnerable section of the LearnPress code

// learnpress/includes/rest-api/v1/class-lp-rest-api-v1.php

function prepare_items_query( $request ) {
    ...
    $sql .= " {$request['_only_fields']} ";
    ...
    return $sql;
}

The '_only_fields' attribute of the $request object is derived from the 'c_only_fields' parameter in the request. Due to insufficiently escaping the user-supplied input and not correctly preparing the SQL query, a skillful attacker can inject malicious SQL queries and obtain sensitive data, such as user credentials or other private information stored in the database.

Original References

Since the vulnerability affects all LearnPress versions up to, and including, 4.2.7, it's highly recommended that users update the plugin to the latest version available. For more information on the vulnerability and official patch, please refer to the following links:

1. LearnPress official website: https://thimpress.com/product/wordpress-lms-plugin-learnpress/
2. LearnPress official Github repository: https://github.com/LearnPress
3. Wordpress Plugin Directory: https://wordpress.org/plugins/learnpress/

Mitigation

As a LearnPress user, it is highly advisable to take immediate measures to avoid potential attacks on your WordPress site. Here are some essential steps to follow in order to secure your WordPress installation:

1. Update LearnPress plugin: Make sure to update the plugin to the latest version available to eliminate the vulnerability.
2. Limit access to the REST API: Restrict access to the WordPress REST API, either by installing a security plugin or configuring your web server to allow only authenticated users.
3. Monitor logs: Keep an eye on server logs for any suspicious activity that could indicate exploitation attempts.
4. Implement an Intrusion Detection System (IDS): Utilize an IDS to actively monitor your website and detect any security violations.

Conclusion

By addressing the LearnPress vulnerability (CVE-2024-8522), WordPress users can help safeguard the sensitive data stored in their database, ensuring the security and privacy of their users. As with any software solution, regular updates and proactively monitoring for potential risks are essential aspects of maintaining a safe online environment.

Timeline

Published on: 09/12/2024 09:15:05 UTC
Last modified on: 09/13/2024 16:12:30 UTC