Lucene search

[email protected]NVD:CVE-2024-6088

HistoryJul 02, 2024 - 11:15 a.m.

CVE-2024-6088

2024-07-0211:15:10

CWE-862

[email protected]

web.nvd.nist.gov

learnpress wordpress lms plugin

vulnerability

unauthorized user registration

capability check

bypass

disabled user registration

new account

default role

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

20.6%

JSON

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the ‘register’ function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to bypass disabled user registration to create a new account with the default role.

Affected configurations

NVD

Node

thimpresslearnpressRange<4.2.6.8.2wordpress

References

plugins.trac.wordpress.org/browser/learnpress/tags/4.2.6.8.1/inc/class-lp-forms-handler.php#L235

plugins.trac.wordpress.org/browser/learnpress/tags/4.2.6.8.1/inc/jwt/includes/class-jwt-public.php#L127

plugins.trac.wordpress.org/changeset/3109339/

www.wordfence.com/threat-intel/vulnerabilities/id/04e0ddff-16af-4c85-b5b0-cf767684ee08?source=cve

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

20.6%

JSON

Related for NVD:CVE-2024-6088

vulnrichment1 cvelist1 cve1