CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3360 – LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API
https://notcve.org/view.php?id=CVE-2022-3360
The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution (RCE). To successfully exploit this vulnerability attackers must have knowledge of the site secrets, allowing them to generate a valid hash via the wp_hash() function. El complemento LearnPress WordPress anterior a 4.1.7.2 deserializa la entrada del usuario en un punto final API REST disponible para usuarios no autenticados, lo que podría conducir a una Inyección de Objetos PHP cuando hay presente un dispositivo adecuado, lo que lleva a la ejecución remota de código (RCE). Para explotar con éxito esta vulnerabilidad, los atacantes deben tener conocimiento de los secretos del sitio, lo que les permitirá generar un hash válido a través de la función wp_hash(). The LearnPress plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.1.7.1 via deserialization of untrusted input in a REST API endpoint available to unauthenticated users. • https://wpscan.com/vulnerability/acea7a54-a964-4127-a93f-f38f883074e3 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0271 – LearnPress < 4.1.6 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0271
The LearnPress WordPress plugin before 4.1.6 does not sanitise and escape the lp-dismiss-notice before outputting it back via the lp_background_single_email AJAX action, leading to a Reflected Cross-Site Scripting El plugin LearnPress de WordPress versiones anteriores a 4.1.6, no sanea ni escapa del parámetro lp-dismiss-notice antes de devolverlo por medio de la acción AJAX lp_background_single_email, conllevando a una vulnerabilidad de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/ad07d9cd-8a75-4f7c-bbbe-3b6b89b699f2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3CVE-2022-0377 – LearnPress < 4.1.5 - Arbitrary Image Renaming
https://notcve.org/view.php?id=CVE-2022-0377
Users of the LearnPress WordPress plugin before 4.1.5 can upload an image as a profile avatar after the registration. After this process the user crops and saves the image. Then a "POST" request that contains user supplied name of the image is sent to the server for renaming and cropping of the image. As a result of this request, the name of the user-supplied image is changed with a MD5 value. This process can be conducted only when type of the image is JPG or PNG. • https://www.exploit-db.com/exploits/50706 https://bozogullarindan.com/en/2022/01/wordpress-learnpress-plugin-4.1.4.1-arbitrary-image-renaming https://github.com/LearnPress/learnpress/commit/d1dc4af7ef2950f1000abc21bd9520fb3eb98faf https://wpscan.com/vulnerability/0d95ada6-53e3-4a80-a395-eacd7b090f26 • CWE-73: External Control of File Name or Path CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24951 – LearnPress < 4.1.4 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24951
The LearnPress WordPress plugin before 4.1.4 does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issues El plugin LearnPress de WordPress versiones anteriores a 4.1.4, no sanea, comprueba ni escapa del parámetro id antes de usarlo en las sentencias SQL al duplicar un curso/lección/cuestionario/pregunta, conllevando a problemas de inyecciones SQL • https://wpscan.com/vulnerability/0a16ddc5-5ab9-4a8f-86b5-41edcbeafc50 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-39348 – LearnPress – WordPress LMS Plugin <= 4.1.3.1 Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-39348
The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.3.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. Please note that this is seperate from CVE-2021-24702. El plugin LearnPress de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Almacenado debido a un escape insuficiente en el parámetro $custom_profile que se encuentra en el archivo ~/inc/admin/views/backend-user-profile.php y que permite a atacantes con acceso de usuario administrativo inyectar scripts web arbitrarios, en versiones hasta la 4.1.3.1 incluyéndola. Esto afecta a las instalaciones multi-sitio donde unfiltered_html está deshabilitado para los administradores, y los sitios donde unfiltered_html está deshabilitado. • https://github.com/BigTiger2020/word-press/blob/main/LearnPress.md https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2614592%40learnpress&new=2614592%40learnpress&sfp_email=&sfph_mail= https://wordfence.com/vulnerability-advisories/#CVE-2021-39348 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •