Login Sign Up

CVE-2020-11511

8.1 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in the LearnPress WordPress plugin allows remote attackers to escalate any user's privileges to 'LP Instructor' role via the 'accept-to-be-teacher' action parameter. This affects WordPress sites running LearnPress versions before 3.2.6.9. Attackers can exploit this without authentication to gain elevated privileges.

💻 Affected Systems

Products:
  • WordPress LearnPress Plugin
Versions: All versions before 3.2.6.9
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all WordPress installations with vulnerable LearnPress versions installed and activated.

📦 What is this software?

Learnpress by Thimpress

View all CVEs affecting Learnpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise where attackers gain instructor privileges, potentially leading to data theft, content manipulation, or further privilege escalation to administrator.

🟠

Likely Case

Attackers gain instructor-level access allowing them to create/manage courses, access student data, and potentially pivot to other attacks.

🟢

If Mitigated

Minimal impact if proper access controls and monitoring are in place to detect privilege escalation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires sending crafted HTTP request to vulnerable endpoint. Public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.6.9 and later

Vendor Advisory: https://wordpress.org/plugins/learnpress/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find LearnPress plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 3.2.6.9+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable LearnPress Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate learnpress

Web Application Firewall Rule

all

Block requests containing the exploit parameter

Add WAF rule to block requests containing 'accept-to-be-teacher' parameter

🧯 If You Can't Patch

  • Implement strict network access controls to limit access to WordPress admin areas
  • Enable detailed logging and monitoring for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check LearnPress plugin version in WordPress admin panel under Plugins → Installed Plugins

Check Version:

wp plugin get learnpress --field=version

Verify Fix Applied:

Verify LearnPress version is 3.2.6.9 or higher after update

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing 'accept-to-be-teacher' parameter
  • User role changes from subscriber/contributor to instructor

Network Indicators:

  • POST requests to /wp-admin/admin-ajax.php with suspicious parameters
  • Unusual privilege escalation patterns

SIEM Query:

source="wordpress.log" AND "accept-to-be-teacher" OR (event="user_role_change" AND new_role="lp_teacher")

📊 Metadata

CVE ID: CVE-2020-11511
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
Published: July 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-11511, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)