LearnPress has vulnerabilities that could affect more than 75,000 WordPress sites if they don’t install the latest patch

MADRID, 26 Jan. (Portaltic/EP) –

Learn Press, one of the most used plugins wordpress, presents three “critical” vulnerabilities that they could affect more than 75,000 websites if it does not apply update patch 4.2.0, which fixes security flaws such as SQL injection (intrusion code) by unauthenticated users.

LearnPress is a learning management system (LMS) plugin of WordPress that allows websites to easily create and sell online courses, lessons and quizzessince you don’t need to have any coding knowledge for it.

The WordPress Patchstack security tool researchers They found three “critical” vulnerabilities in LearnPress throughout the past year 2022, so they informed the ‘software’ provider to implement a solution, as they explain on their website.

Thanks to this, on December 20, 2022, the LearnPress plugin version 4.2.0 that fixed all vulnerabilities reported by Patchstack. Nevertheless, only about 25 percent of websites who use this plugin have applied this patchas shown by the data collected by WordPress.

In this sense, since LearnPress has over 100,000 installs active, around 75,000 websites could be affected even for the vulnerabilities found last year, which can trigger serious repercussions.

Regarding vulnerabilities, the first discovered by Patchstack is the CVE-2022-47615, a bug allowing to include local files (LFI) unauthenticated. This action allows attackers to display the content of local files on the web server.

That is, you can compromise file security that may contain sensitive data such as passwords, credentials, authorization tokens, and API keys.

The second vulnerability is CVE-2022-45808which allows injections Unauthenticated SQL. An SQL injection is a method of infiltration of intrusive code. In this way, the attacker could potentially divulge sensitive informationmodify data and execute arbitrary code, that is, the ability to execute commands or in an application at the whim of the attacker.

Finally, the third error found is the CVE-2022-45820which also has to do with SQL injections but authenticated because, to activate the injection, the user must have at least the role of collaborator on the website, Patchstack reports. Is vulnerability can also lead to data breach.

For all this, Patchstack recommends to website owners that use LearnPress that Please update to version 4.2.0 as soon as possible.

Related articles