Page 10 of 49 results (0.009 seconds)

CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2020-7916 – LearnPress <= 3.2.6.6 - Privilege Escalation

https://notcve.org/view.php?id=CVE-2020-7916

be_teacher in class-lp-admin-ajax.php in the LearnPress plugin 3.2.6.5 and earlier for WordPress allows any registered user to assign itself the teacher role via the wp-admin/admin-ajax.php?action=learnpress_be_teacher URI without any additional permission checks. Therefore, any user can change its role to an instructor/teacher and gain access to otherwise restricted data. La función be_teacher en el archivo class-lp-admin-ajax.php en el plugin LearnPress versión 3.2.6.5 y anteriores para WordPress, permite que cualquier usuario registrado se asigne el rol teacher por medio del URI wp-admin/admin-ajax.php?action=learnpress_be_teacher sin ningunas comprobaciones de permiso adicionales. • https://wordpress.org/plugins/learnpress/#developers • CWE-269: Improper Privilege Management •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0

CVE-2018-16175 – LearnPress <= 3.0.12 - Authenticated SQL Injection

https://notcve.org/view.php?id=CVE-2018-16175

SQL injection vulnerability in the LearnPress prior to version 3.1.0 allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en LearnPress, en versiones anteriores a la 3.1.0, permite que un atacante con derechos de administrador ejecute comandos SQL arbitrarios mediante vectores sin especificar. • https://jvn.jp/en/jp/JVN85760090/index.html https://wordpress.org/plugins/learnpress • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2018-16173 – LearnPress <= 3.0.12 - Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2018-16173

Cross-site scripting vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad Cross-Site Scripting (XSS) en versiones anteriores a la 3.1.0 de LearnPress permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. • https://jvn.jp/en/jp/JVN85760090/index.html https://wordpress.org/plugins/learnpress • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2018-16174 – LearnPress <= 3.0.12 - Open Redirect

https://notcve.org/view.php?id=CVE-2018-16174

Open redirect vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. Una vulnerabilidad de redirección abierta en LearnPress, en versiones anteriores a la 3.1.0, permite que atacantes remotos redireccionen a los usuarios a sitios web arbitrarios y lleven a cabo ataques de phishing mediante vectores sin especificar. • https://jvn.jp/en/jp/JVN85760090/index.html https://wordpress.org/plugins/learnpress • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •