Login Sign Up

CVE-2023-3105

8.8 HIGH
Authentication Bypass

📋 TL;DR

The LearnDash LMS WordPress plugin up to version 4.6.0 contains an Insecure Direct Object Reference vulnerability that allows authenticated users at any privilege level to bypass authorization controls. This enables attackers to change user passwords, potentially leading to administrator account takeover. All WordPress sites using vulnerable LearnDash versions are affected.

💻 Affected Systems

Products:
  • LearnDash LMS WordPress Plugin
Versions: Up to and including 4.6.0
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with LearnDash plugin. All configurations using vulnerable versions are affected.

📦 What is this software?

Learndash by Learndash

View all CVEs affecting Learndash →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise through administrator account takeover, leading to data theft, malware installation, or site defacement.

🟠

Likely Case

Privilege escalation allowing attackers to gain administrative access and modify site content, user data, or install malicious plugins.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, potentially only affecting non-critical user accounts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but at any privilege level. Attack path is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.6.1

Vendor Advisory: https://www.learndash.com/release-notes/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find LearnDash LMS and click 'Update Now'. 4. Verify version is 4.6.1 or higher.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable LearnDash plugin until patched to prevent exploitation

wp plugin deactivate sfwd-lms

Restrict User Registration

all

Temporarily disable new user registration to limit attack surface

wp option update users_can_register 0

🧯 If You Can't Patch

  • Implement strict access controls and monitor for unusual user activity
  • Apply web application firewall rules to block suspicious user modification requests

🔍 How to Verify

Check if Vulnerable:

Check LearnDash plugin version in WordPress admin panel under Plugins > Installed Plugins

Check Version:

wp plugin get sfwd-lms --field=version

Verify Fix Applied:

Confirm LearnDash version is 4.6.1 or higher in plugin details

📡 Detection & Monitoring

Log Indicators:

  • Unusual password reset requests
  • User privilege escalation attempts
  • Multiple failed login attempts followed by successful password changes

Network Indicators:

  • HTTP POST requests to user modification endpoints from non-admin accounts

SIEM Query:

source="wordpress.log" AND ("password_change" OR "user_update") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2023-3105
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: July 12, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON