Platform
wordpress
Component
learnpress
Fixed in
4.2.7
CVE-2024-4434 is a critical SQL Injection vulnerability discovered in the LearnPress WordPress LMS Plugin. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data access and manipulation. The vulnerability affects versions up to and including 4.2.6.5. A patch is available to address this issue.
The SQL Injection vulnerability in LearnPress allows attackers to bypass security measures and directly interact with the plugin's database. By manipulating the ‘term_id’ parameter, an attacker can append arbitrary SQL queries to existing ones. This enables them to extract sensitive information such as user credentials, course details, and payment information. Successful exploitation could lead to complete database compromise, data breaches, and potential disruption of the LearnPress LMS functionality. The impact is particularly severe given the plugin's role in managing learning content and user data.
CVE-2024-4434 was publicly disclosed on 2024-05-10. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. Public proof-of-concept exploits are likely to emerge. The vulnerability is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring.
Exploit Status
EPSS
77.09% (99% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-4434 is to immediately upgrade the LearnPress WordPress LMS Plugin to a version that includes the security patch. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing temporary workarounds. These might include restricting access to the vulnerable endpoint, implementing input validation and sanitization on the ‘term_id’ parameter, or using a Web Application Firewall (WAF) to filter malicious SQL queries. Regularly review WordPress plugin security updates and apply them promptly.
Update the LearnPress plugin to a version later than 4.2.6.5. This will resolve the SQL Injection vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-4434 is a critical SQL Injection vulnerability affecting LearnPress versions up to 4.2.6.5, allowing attackers to extract data through the ‘term_id’ parameter.
If you are using LearnPress LMS Plugin version 4.2.6.5 or earlier, you are vulnerable to this SQL Injection attack.
Upgrade LearnPress LMS Plugin to the latest version that includes the security patch. Consider temporary workarounds like WAF rules if immediate upgrade is not possible.
While no active exploitation campaigns have been confirmed, the vulnerability's severity makes it a likely target for attackers.
Refer to the LearnPress website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.