平台
wordpress
组件
learnpress
修复版本
4.2.7
CVE-2024-4434 is a critical SQL Injection vulnerability discovered in the LearnPress WordPress LMS Plugin. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data access and manipulation. The vulnerability affects versions up to and including 4.2.6.5. A patch is available to address this issue.
The SQL Injection vulnerability in LearnPress allows attackers to bypass security measures and directly interact with the plugin's database. By manipulating the ‘term_id’ parameter, an attacker can append arbitrary SQL queries to existing ones. This enables them to extract sensitive information such as user credentials, course details, and payment information. Successful exploitation could lead to complete database compromise, data breaches, and potential disruption of the LearnPress LMS functionality. The impact is particularly severe given the plugin's role in managing learning content and user data.
CVE-2024-4434 was publicly disclosed on 2024-05-10. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. Public proof-of-concept exploits are likely to emerge. The vulnerability is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring.
WordPress websites utilizing the LearnPress LMS Plugin, particularly those running versions prior to 4.2.6.5, are at significant risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable, as are websites with weak security configurations or inadequate input validation practices.
• wordpress / composer / npm:
grep -r "LearnPress\s+LMS\s+Plugin" /var/www/html/
wp plugin list | grep LearnPress• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/learnpress/ | grep LearnPressdisclosure
漏洞利用状态
EPSS
77.09% (99% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-4434 is to immediately upgrade the LearnPress WordPress LMS Plugin to a version that includes the security patch. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing temporary workarounds. These might include restricting access to the vulnerable endpoint, implementing input validation and sanitization on the ‘term_id’ parameter, or using a Web Application Firewall (WAF) to filter malicious SQL queries. Regularly review WordPress plugin security updates and apply them promptly.
Actualice el plugin LearnPress a una versión posterior a la 4.2.6.5. Esto solucionará la vulnerabilidad de inyección SQL.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-4434 is a critical SQL Injection vulnerability affecting LearnPress versions up to 4.2.6.5, allowing attackers to extract data through the ‘term_id’ parameter.
If you are using LearnPress LMS Plugin version 4.2.6.5 or earlier, you are vulnerable to this SQL Injection attack.
Upgrade LearnPress LMS Plugin to the latest version that includes the security patch. Consider temporary workarounds like WAF rules if immediate upgrade is not possible.
While no active exploitation campaigns have been confirmed, the vulnerability's severity makes it a likely target for attackers.
Refer to the LearnPress website and WordPress plugin repository for the official advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。