Threat Watch

Vulnerable LearnPress Plugin for WordPress Impacts 75k Sites

LearnPress is a WordPress plugin that makes it easier to set up an educational website with courses, lessons, quizzes, etc, with no knowledge of coding needed. According to the plugin’s wordpress.org page, the plugin is in use by over 100,000 active websites. Vulnerability researchers at PatchStack discovered several vulnerabilities in LearnPress between November 30th and December 2nd, 2022, and reported them to the plugin’s software vendor. On December 20th, 2022, the patched version (4.2) was released. At the time of writing, only 25% of active LearnPress installations have been patched.

There are 3 known vulnerabilities that are resolved with version 4.2:

  • CVE-2022-47615 – An unauthenticated local file inclusion (LFI) vulnerability with potential to expose credentials, tokens, API keys, and more.
  • CVE-2022-45808 and CVE-2022-45820 – Unauthenticated SQL injection flaws with potential to perform SQL database manipulation to reveal data such as user login credentials, modify databases, and achieve arbitrary command execution.

The impact of CVE-2022-45820 is partially mitigated due to the vulnerability requiring a user to already be able to edit or create posts.

ANALYST NOTES

LearnPass site administrators should update the plugin to version 4.2 or above as soon as possible. It is critical for maintainers of WordPress websites to continuously update both WordPress core and all installed plugins. Binary Defense highly recommends WordPress users enable auto-updates wherever possible.

https://www.bleepingcomputer.com/news/security/75k-wordpress-sites-impacted-by-critical-online-course-plugin-flaws/