CVE-2024-4397 – The LearnPress WordPress LMS plugin has a vulne... (How to Fix)

Q: What is the severity of CVE-2024-4397?

CVE-2024-4397 has a CVSS score of 8.8 (HIGH). The LearnPress WordPress LMS plugin has a vulnerability that allows authenticated attackers with Instructor-level permissions or higher to upload arbitrary files due to missing file type validation. This can lead to remote code execution on affected WordPress sites. The vulnerability affects versions up to and including 4.2.6.5.

📋 TL;DR

The LearnPress WordPress LMS plugin has a vulnerability that allows authenticated attackers with Instructor-level permissions or higher to upload arbitrary files due to missing file type validation. This can lead to remote code execution on affected WordPress sites. The vulnerability affects versions up to and including 4.2.6.5.

💻 Affected Systems

Products:

LearnPress - WordPress LMS Plugin

Versions: Up to and including 4.2.6.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with Instructor role or higher; affects WordPress sites using vulnerable plugin versions.

📦 What is this software?

Learnpress by Thimpress

View all CVEs affecting Learnpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Attackers upload web shells to gain persistent access, deface websites, or deploy ransomware.

🟢

If Mitigated

If proper file upload restrictions and web application firewalls are in place, exploitation attempts are blocked or detected.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires Instructor-level credentials; file upload bypass is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.6.6 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3083657/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find LearnPress plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 4.2.6.6+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Restrict File Uploads via .htaccess

linux

Block execution of uploaded files in the uploads directory

Add to .htaccess in wp-content/uploads: <FilesMatch "\.(php|php5|php7|phtml|phar)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

Web Application Firewall Rule

all

Block suspicious file upload requests to LearnPress endpoints

Configure WAF to block requests to /wp-json/lp/v1/material with file uploads containing executable extensions

🧯 If You Can't Patch

Temporarily disable the LearnPress plugin until patched
Remove Instructor and higher role permissions from untrusted users

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > LearnPress version; if version is 4.2.6.5 or lower, you are vulnerable.

Check Version:

wp plugin list --name=learnpress --field=version (if WP-CLI installed)

Verify Fix Applied:

After updating, verify LearnPress version is 4.2.6.6 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-json/lp/v1/material with file uploads
Unauthorized file creations in wp-content/uploads with .php extensions

Network Indicators:

HTTP POST requests to material endpoint with multipart/form-data containing executable files

SIEM Query:

source="web_server" AND uri_path="/wp-json/lp/v1/material" AND http_method="POST" AND content_type="multipart/form-data"

📊 Metadata

CVE ID: CVE-2024-4397

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: May 14, 2024

Last Updated: January 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4397, you might also want to check these: