CVE-2023-6634 – The LearnPress WordPress plugin contains a comm... (How to Fix)

📋 TL;DR

The LearnPress WordPress plugin contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP functions with one parameter. This can lead to remote code execution on affected WordPress sites. All WordPress sites using LearnPress versions up to 4.2.5.7 are vulnerable.

💻 Affected Systems

Products:

LearnPress WordPress Plugin

Versions: All versions up to and including 4.2.5.7

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable LearnPress plugin versions

📦 What is this software?

Learnpress by Thimpress

View all CVEs affecting Learnpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, malware deployment, or site defacement

🟠

Likely Case

Unauthenticated remote code execution allowing attackers to install backdoors, modify content, or pivot to other systems

🟢

If Mitigated

Limited impact if proper web application firewalls and security controls block malicious requests

🌐 Internet-Facing: HIGH - Unauthenticated exploit against internet-facing WordPress sites

🏢 Internal Only: MEDIUM - Lower risk if only accessible internally, but still vulnerable to insider threats

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple exploitation via crafted HTTP requests to vulnerable endpoints

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.5.8 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3013957/learnpress

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find LearnPress and click 'Update Now'
4. Verify version is 4.2.5.8 or higher

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block requests containing suspicious call_user_func patterns

WAF rule: Block requests with 'call_user_func' in parameters

Disable LearnPress Plugin

linux

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate learnpress

🧯 If You Can't Patch

Implement strict WAF rules to block command injection attempts
Restrict access to WordPress admin and plugin endpoints using IP whitelisting

🔍 How to Verify

Check if Vulnerable:

Check LearnPress plugin version in WordPress admin panel or via wp-cli: wp plugin get learnpress --field=version

Check Version:

wp plugin get learnpress --field=version

Verify Fix Applied:

Confirm LearnPress version is 4.2.5.8 or higher

📡 Detection & Monitoring

Log Indicators:

HTTP requests to LearnPress endpoints with call_user_func parameters
Unusual PHP function calls in web server logs

Network Indicators:

POST requests to /wp-content/plugins/learnpress/ with suspicious parameters
Unusual outbound connections from web server

SIEM Query:

source="web_logs" AND ("call_user_func" OR "learnpress") AND status=200

📊 Metadata

CVE ID: CVE-2023-6634

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: January 11, 2024

Last Updated: June 3, 2025

🔗 References

https://plugins.trac.wordpress.org/changeset/3013957/learnpress Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/21291ed7-cdc0-4698-9ec4-8417160845ed?source=cve Third Party Advisory
https://plugins.trac.wordpress.org/changeset/3013957/learnpress Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/21291ed7-cdc0-4698-9ec4-8417160845ed?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6634, you might also want to check these: