Multiple Critical Vulnerabilities in WordPress Plugin LearnPress

Published on 25 Jan 2023

Updated on 25 Jan 2023

LearnPress, a WordPress learning management system (LMS) plugin, has released security updates to address multiple critical vulnerabilities.

The vulnerabilities are:

  • CVE-2022-47615: An unauthenticated local file inclusion vulnerability could allow an attacker to display contents of local files stored on the web server, potentially exposing credentials, authorisation tokens, and API keys.
  • CVE-2022-45808: An unauthenticated SQL injection vulnerability could allow an attacker to insert malicious code, potentially leading to sensitive information disclosure, data modification, and arbitrary code execution.
  • CVE-2022-45820: An authenticated SQL injection vulnerability could allow an attacker to insert malicious code, potentially leading to sensitive information disclosure, data modification, and arbitrary code execution.

Users and administrators of LearnPress are advised to upgrade to version 4.2.0 immediately.


More information is available here:

https://patchstack.com/articles/multiple-critical-vulnerabilities-fixed-in-learnpress-plugin-version/

https://www.bleepingcomputer.com/news/security/75k-wordpress-sites-impacted-by-critical-online-course-plugin-flaws/