LearnPress < 3.2.6.9 – Privilege Escalation to "LP Instructor" | CVE 2020-11511 | Plugin Vulnerabilities

Description

The LearnPress plugin through 3.2.6.8 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter. The "LP Instructor" role grants the "unfiltered_html" capability, allowing an escalated user to insert posts containing malicious JavaScript

Proof of Concept

It is possible for a remote attacker to elevate the privileges of any user to LP Instructor by sending a request to any location within wp-admin, such as wp-admin/admin-post.php with the action parameter set to accept-to-be-teacher and the user_id parameter set to an arbitrary user ID. This is possible because the learn_press_accept_become_a_teacher function runs on the plugins_loaded action and lacks nonce checks and capability checks.

Affects Plugins

Fixed in 3.2.6.9

References

CVE

URL

https://www.wordfence.com/blog/2020/04/high-severity-vulnerabilities-patched-in-learnpress/

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Ramuel Gall (Wordfence)

Submitter

Ramuel Gall

Verified

No

WPVDB ID

22b2cbaa-9173-458a-bc12-85e7c96961cd

Timeline

Publicly Published

2020-04-28 (about 5 years ago)

Added

2020-04-28 (about 5 years ago)

Last Updated

2020-04-29 (about 5 years ago)

Other

Published

Title

Published

2020-05-13

Title

Site Kit by Google < 1.8.0 - Privilege Escalation to gain Search Console Access

Published

2023-05-22

Title

Leyka < 3.30.3 - Subscriber+ Privilege Escalation

Published

2023-09-04

Title

All in One B2B for WooCommerce <= 1.0.3 - Unauthenticated Privilege Escalation

Published

2025-04-11

Title

WPC Admin Columns 2.0.6 - 2.1.0 - Authenticated (Subscriber+) Privilege Escalation via User Meta Update

Published

2025-04-24

Title

Service Finder Bookings < 6.0 - Unauthenticated Privilege Escalation via 'nsl_registration_store_extra_input'