Platform
wordpress
Component
lifterlms
Fixed in
7.6.3
CVE-2024-4743 represents a critical SQL Injection vulnerability affecting the LifterLMS WordPress LMS plugin. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to inject malicious SQL queries into existing database queries. Versions of LifterLMS up to and including 7.6.2 are vulnerable. A patch is available from the vendor.
The impact of this SQL Injection vulnerability is severe. An attacker can leverage it to extract sensitive data stored within the LifterLMS database, including user credentials, course details, and payment information. Successful exploitation could lead to unauthorized access to student data, disruption of learning activities, and potential financial losses. The ability to append SQL queries allows for complex data extraction and manipulation, potentially compromising the entire WordPress site if the database contains sensitive application configuration data. This vulnerability shares similarities with other SQL Injection attacks where attackers gain unauthorized access to data by manipulating database queries.
CVE-2024-4743 was publicly disclosed on June 5, 2024. The vulnerability is considered high probability due to the ease of exploitation and the potential impact. No public proof-of-concept (POC) code has been publicly released as of this writing, but the vulnerability's nature suggests that it is likely to be exploited in the near future. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.37% (59% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-4743 is to immediately upgrade to the latest version of the LifterLMS plugin, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out malicious SQL injection attempts targeting the lifterlms_favorites shortcode's orderBy parameter. Specifically, look for unusual characters or SQL keywords within the parameter value. Additionally, review user roles and permissions to ensure that only authorized users have access to sensitive data. After upgrade, confirm the vulnerability is resolved by attempting a SQL injection payload via the orderBy parameter and verifying that it is properly sanitized.
Update the LifterLMS plugin to a version later than 7.6.2. This will fix the (SQL Injection) vulnerability. The update can be performed from the WordPress admin panel.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-4743 is a critical SQL Injection vulnerability in the LifterLMS WordPress plugin, allowing attackers to potentially extract sensitive data from the database.
You are affected if you are using LifterLMS version 7.6.2 or earlier. Check your plugin version and upgrade immediately.
Upgrade to the latest version of the LifterLMS plugin. As a temporary workaround, implement a WAF rule to filter malicious SQL injection attempts.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests it is likely to be targeted soon. Monitor security advisories.
Refer to the official LifterLMS website and WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.