LearnPress < 4.2.6.9 – Authenticated (Subscriber+) Insecure Direct Object Reference | CVE 2024-39642 | Plugin Vulnerabilities

Description

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.6.8.2 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Fixed in 4.2.6.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7449ed1e-cc09-4b8b-8226-7cdc70be2b36

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

11ac3ebe-d09a-4bfb-89f5-3d6103b4525b

Timeline

Publicly Published

2024-08-01 (about 1 year ago)

Added

2024-08-07 (about 1 year ago)

Last Updated

2024-08-07 (about 1 year ago)

Other

Published

Title

Published

2023-12-05

Title

WP Photo Album Plus < 8.6.01.003 - Insecure Direct Object Reference

Published

2025-07-25

Title

WoodMart < 8.2.7 - Unauthenticated Cart Manipulation

Published

2024-12-03

Title

Dollie Hub – Build Your Own WordPress Cloud Platform < 6.2.1 - Authenticated (Contributor+) Post Disclosure

Published

2025-11-12

Title

Timetable and Event Schedule by MotoPress < 2.4.16 - Contributor+ Event Disclosure via IDOR

Published

2025-09-03

Title

wpForo Forum < 2.4.7 - Authenticated (Subscriber+) Insecure Direct Object Reference