CVE-2024-8529: SQL Injection Vulnerability in LearnPress - WordPress LMS Plugin Plugin for WordPress - Exploit Details, Code Snippet and Solution

The LearnPress - WordPress LMS Plugin (up to version 4.2.7) for WordPress is vulnerable to a serious SQL Injection attack, which could potentially allow unauthenticated malicious users to gain access to sensitive information from the WordPress database. In this article, we will dive into the details of this vulnerability, exploit code snippets, and links to original references to get a better understanding of the impact and solution.

Vulnerability Details (CVE-2024-8529):
The LearnPress - WordPress LMS Plugin for WordPress, in all versions up to and including 4.2.7, suffers from an SQL Injection vulnerability due to insufficient escaping on user-supplied parameters and lack of appropriate preparation for the database queries in the '/wp-json/lp/v1/courses/archive-course' REST API endpoint. Attackers could potentially exploit this vulnerability to execute arbitrary SQL queries and extract sensitive data from the database.

Attackers can target the 'c_fields' parameter within the REST API endpoint mentioned above, injecting additional SQL queries that append to the existing queries used by the plugin. Since the plugin does not properly sanitize and escape the user input, this can lead to successful SQL Injection attacks.

Code Snippet

The following code snippet demonstrates the vulnerable portion of the /wp-json/lp/v1/courses/archive-course REST API endpoint:

$result = $wpdb->get_results("SELECT * FROM $wpdb->learnpress_courses WHERE c_fields = '$c_fields'");

In the code snippet above, the $c_fields parameter is not appropriately sanitized or escaped, which makes it susceptible to SQL Injection. Attackers can exploit this by crafting a malicious value for the $c_fields parameter, which would lead to an arbitrary query execution on the WordPress database.

Exploit Details

An attacker could first send a request to the REST API endpoint, injecting a malicious value for $c_fields. By manipulating the queries, the attacker can extract sensitive information such as user passwords, email addresses, and other related data.

Original Reference Links

1. Official LearnPress - WordPress LMS Plugin Repository
2. WordPress.org Support Forum

Recommended Solution

To mitigate this vulnerability, it is essential to properly sanitize and escape all user input on the server side. Additionally, using prepared statements within the SQL queries can help minimize the risk of SQL Injections.

The LearnPress - WordPress LMS Plugin has promptly addressed this vulnerability in version 4.2.8. Therefore, it is highly recommended for all users to update their plugin to the latest version (4.2.8 or later) to prevent potential exploitation.

Conclusion

The SQL Injection vulnerability affecting the LearnPress - WordPress LMS Plugin (CVE-2024-8529) could have serious consequences for WordPress websites running the vulnerable plugin versions. By updating to the latest version of the plugin and ensuring all user input is appropriately sanitized, website administrators can significantly reduce the risk of exploitation.

Timeline

Published on: 09/12/2024 08:30:46 UTC