CVE-2024-9881 – This vulnerability allows high-privilege WordPr... (How to Fix)

Q: What is the severity of CVE-2024-9881?

CVE-2024-9881 has a CVSS score of 4.8 (MEDIUM). This vulnerability allows high-privilege WordPress users (like administrators) to inject malicious scripts into LearnPress plugin settings, which then execute when other users view those settings. It affects WordPress sites using LearnPress plugin versions before 4.2.7.2, particularly in multisite configurations where unfiltered_html capability is restricted.

📋 TL;DR

This vulnerability allows high-privilege WordPress users (like administrators) to inject malicious scripts into LearnPress plugin settings, which then execute when other users view those settings. It affects WordPress sites using LearnPress plugin versions before 4.2.7.2, particularly in multisite configurations where unfiltered_html capability is restricted.

💻 Affected Systems

Products:

LearnPress WordPress Plugin

Versions: All versions before 4.2.7.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires high-privilege user access (admin or similar). Particularly relevant in WordPress multisite setups where unfiltered_html capability is disallowed.

📦 What is this software?

Learnpress by Thimpress

View all CVEs affecting Learnpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with admin privileges could inject persistent malicious scripts that steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users across the entire WordPress site.

🟠

Likely Case

Malicious administrator or compromised admin account injects tracking scripts, defaces parts of the site, or steals lower-privileged user credentials through stored XSS payloads.

🟢

If Mitigated

With proper access controls and admin account security, impact is limited to potential data exposure from malicious admin actions.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin-level access. Attack involves injecting JavaScript into plugin settings fields that lack proper sanitization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.7.2

Vendor Advisory: https://wordpress.org/plugins/learnpress/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find LearnPress plugin. 4. Click 'Update Now' if update available. 5. If manual update needed, download version 4.2.7.2 from WordPress.org, deactivate old version, upload new version, and activate.

🔧 Temporary Workarounds

Remove Admin Privileges

all

Temporarily reduce admin user count and implement least privilege access

Disable LearnPress Plugin

linux

Deactivate the plugin until patched if not critically needed

wp plugin deactivate learnpress

🧯 If You Can't Patch

Implement strict access controls and monitor admin user activities
Use web application firewall (WAF) rules to block XSS payloads in POST requests to LearnPress settings

🔍 How to Verify

Check if Vulnerable:

Check LearnPress plugin version in WordPress admin panel under Plugins > Installed Plugins

Check Version:

wp plugin get learnpress --field=version

Verify Fix Applied:

Confirm LearnPress version is 4.2.7.2 or higher in plugin details

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to LearnPress settings endpoints
Admin users modifying LearnPress settings with script-like content

Network Indicators:

HTTP POST requests to /wp-admin/admin.php?page=learnpress-settings containing JavaScript payloads

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin.php" AND query_string="page=learnpress-settings") AND (body="<script" OR body="javascript:")

📊 Metadata

CVE ID: CVE-2024-9881

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: December 12, 2024

Last Updated: May 7, 2025

🔗 References

https://wpscan.com/vulnerability/ec76f73a-7ad4-432d-8216-7cdb5603cef9/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/ec76f73a-7ad4-432d-8216-7cdb5603cef9/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9881, you might also want to check these: