WordPress LearnDash LMS 4.6.0 Insecure Direct Object Reference Vulnerability

Description: LearnDash LMS <= 4.6.0 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change 

Affected Plugin: LearnDash LMS

Plugin Slug: sfwd-lms

Affected Versions: <= 4.6.0

CVE ID: CVE-2023-3105

CVSS Score: 8.8 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Researcher/s: Lana Codes 

Fully Patched Version: 4.6.0.1

The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with existing account access at any level, to change user passwords and potentially take over administrator accounts.

Technical Analysis

The LearnDash LMS plugin provides the shortcode ‘[ld_reset_password]‘ to embed a password reset form into a page on a WordPress site. The form allows users to submit their username or email address to receive an email with a password reset link containing a user activation key.

Examining the code reveals that the plugin checks that the user activation key belongs to the given user with the learndash_reset_password_verification() function only when displaying the new password form, where the new password can be entered.

[View this code snippet on the blog]  

However, there is no user activation key check when processing this form. This makes it possible for any authenticated user who has accessed the password reset form via the link sent in the email to modify the password of another user by changing the value of the username hidden input field.

[View this code snippet on the blog]  

As with any Arbitrary User Password Change that leads to a Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.

Disclosure Timeline

June 5, 2023 – Discovery of the Arbitrary User Password Change vulnerability in LearnDash LMS.

June 5, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.

June 5, 2023 – The vendor confirms the inbox for handling the discussion.

June 5, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.

June 5, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.

June 6, 2023 – A fully patched version of the plugin, 4.6.0.1, is released.

July 5, 2023 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we have detailed an Arbitrary User Password Change vulnerability within the LearnDash LMS plugin affecting versions 4.6.0 and earlier. This vulnerability allows threat actors to easily take over websites by resetting the password of any user, including administrators. The vulnerability has been fully addressed in version 4.6.0.1 of the plugin. We encourage WordPress users to verify that their sites are updated to the latest patched version of LearnDash LMS.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 5, 2023. Sites still using the free version of Wordfence will receive the same protection on July 5, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.