An unauthenticated SQL Injection vulnerability is found in LearnPress WordPress Plugin versions up to 4.2.7. This flaw exists in the c_only_fields parameter of the LearnPress API endpoint, allowing attackers to execute malicious SQL commands through API requests without authentication. Successful exploitation could result in unauthorized database access, potential exposure of sensitive data, or even granting administrative control through database manipulation.
LearnPress is a WordPress plugin that allows users to create a Learning Management System (LMS). The plugin allows users to upload an image as a profile avatar, which is then cropped and saved. However, there is a vulnerability in the plugin that allows an attacker to rename arbitrary image files by manipulating the POST request sent to the server. This can result in the destruction of website design elements such as banners, avatars, post images, and buttons. The vulnerability can be exploited by registering and logging in to the LearnPress system, uploading an avatar image, intercepting the POST request with a tool like Burpsuite, and changing the value of the `lp-user-avatar-crop[name]` parameter to an arbitrary image file path on the website. The attacker can then forward the modified request and check for the existence of the renamed image file.
The WordPress plugin LearnPress version 3.2.6.7 is vulnerable to an authenticated SQL injection vulnerability in the 'current_items' parameter. An attacker with authenticated access can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized access or data leakage.
WordPress Plugin LearnPress version 3.2.6.8 is vulnerable to privilege escalation. An attacker can exploit this vulnerability by finding out their user id and executing the payload http://<host>/wp-admin/?action=accept-to-be-teacher&user_id=<your_id>
Services By CQR