January 25, 2023

Critical WordPress ”LearnPress” Plugin Vulnerabilities

Multiple critical-severity WordPress vulnerabilities, including pre-auth SQL injection and local file inclusion, were discovered by security researchers in the “LearnPress” plugin for WordPress online courses.

The Critical Vulnerabilities

• CVE-2022-45808 (CVSS 3.1: 9.9, Critical) – An SQL Injection vulnerability, might allow a malicious actor to directly interact with your database, including but not limited to stealing information and creating new administrator accounts.
• CVE-2022-47615 (CVSS 3.1: 9.3, Critical) – An unauthenticated local file inclusion (LFI) vulnerability, might allow a malicious actor to access the contents of local files stored on the web server including credentials, authorization tokens, and API keys.
• CVE-2022-45820 (CVSS 3.1: 9.1, Critical) – An SQL Injection vulnerability, might allow a malicious actor to directly interact with your database, including but not limited to stealing information and creating new administrator accounts.

Affected Products

•  WordPress “LearnPress” plugin prior to vision 4.2.0.

Mitigation

CYREBRO recommends for those who utilize the “LearnPress” plugin to update to the newest available version in order to mitigate the vulnerability.

References: Patchstack Advisory.