WordPress Plugin Vulnerabilities

LearnPress Plugin < 4.2.0 - Unauthenticated LFI

Description

The plugin does not validate various parameters in the lp/v1/courses/archive-course REST endpoints before using them in include statement, which could lead to LFI issues.

Affects Plugins

Plugin icon
learnpress
Fixed in 4.2.0

References

CVE
CVE-2022-47615

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
9.3 (critical)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
21de39ee-6e56-43f7-8d5d-52e0ec542516

Timeline

Publicly Published
2023-01-24 (about 2 years ago)
Added
2023-01-24 (about 2 years ago)
Last Updated
2023-01-24 (about 2 years ago)

Other

Published
Title
Published
2017-02-10
Title
Javo Spot Premium Theme - Unauthenticated Directory Traversal
Published
2023-05-26
Title
WP Directory Kit < 1.2.0 - Unauthenticated Local File Inclusion
Published
2021-07-12
Title
UpdraftPlus < 1.16.59 - Admin+ Local File Inclusion
Published
2021-06-23
Title
WP Image Zoom < 1.47 - Local File Inclusion
Published
2024-04-26
Title
BackUpWordPress < 3.14 - Admin+ Directory Traversal