CVE-2024-8522
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress sites using the LearnPress plugin. Attackers can extract sensitive database information by manipulating the 'c_only_fields' parameter in REST API requests. All WordPress sites with LearnPress versions up to 4.2.7 are affected.
💻 Affected Systems
- LearnPress - WordPress LMS Plugin
📦 What is this software?
Learnpress by Thimpress
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including user credentials, payment information, and administrative access leading to site takeover.
Likely Case
Extraction of sensitive user data, course content, and potentially administrative credentials.
If Mitigated
Limited information disclosure if database permissions are properly restricted and WAF blocks injection attempts.
🎯 Exploit Status
SQL injection via REST API endpoint requires minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.7.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3148560/
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find LearnPress plugin
4. Click 'Update Now' if available
5. If manual update needed, download version 4.2.7.1 from WordPress.org
6. Deactivate old plugin, upload new version, activate
🔧 Temporary Workarounds
Disable REST API endpoint
allBlock access to the vulnerable REST API endpoint
Add to .htaccess: RewriteRule ^wp-json/learnpress/v1/courses - [F,L]
Web Application Firewall rule
allBlock SQL injection attempts targeting the vulnerable parameter
WAF rule to block requests containing SQL keywords in c_only_fields parameter
🧯 If You Can't Patch
- Disable LearnPress plugin entirely until patched
- Implement strict network ACLs to restrict access to WordPress REST API endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → LearnPress version numberCheck Version:
wp plugin list --name=learnpress --field=versionVerify Fix Applied:
Verify LearnPress version is 4.2.7.1 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-json/learnpress/v1/courses
- SQL error messages in WordPress debug logs
- Multiple failed SQL queries from single IP
Network Indicators:
- HTTP requests with SQL keywords in c_only_fields parameter
- Unusual traffic patterns to REST API endpoints
SIEM Query:
source="wordpress.log" AND "wp-json/learnpress/v1/courses" AND ("SQL" OR "syntax" OR "union" OR "select")🔗 References
- https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/jwt/rest-api/version1/class-lp-rest-courses-v1-controller.php#L441
- https://plugins.trac.wordpress.org/changeset/3148560/learnpress/tags/4.2.7.1/inc/jwt/rest-api/version1/class-lp-rest-courses-v1-controller.php?old=3138586&old_path=learnpress%2Ftags%2F4.2.7%2Finc%2Fjwt%2Frest-api%2Fversion1%2Fclass-lp-rest-courses-v1-controller.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e495507d-7eac-4f38-ab6f-b8f0809b2be4?source=cve
