CVE-2018-25019 LearnDash < 2.5.4 - Unauthenticated Arbitrary File Upload

2021-11-0108:45:52

CWE-862

CWE-434

WPScan

www.cve.org

0.001 Low

EPSS

Percentile

48.7%

JSON

The LearnDash LMS WordPress plugin before 2.5.4 does not have any authorisation and validation of the file to be uploaded in the learndash_assignment_process_init() function, which could allow unauthenticated users to upload arbitrary files to the web server

CNA Affected

[
  {
    "product": "LearnDash LMS",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "2.5.4",
        "status": "affected",
        "version": "2.5.4",
        "versionType": "custom"
      }
    ]
  }
]