LearnPress < 3.2.6.9 – Privilege Escalation to "LP Instructor" | CVE 2020-11511 | Plugin Vulnerabilities

Description

The LearnPress plugin through 3.2.6.8 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter. The "LP Instructor" role grants the "unfiltered_html" capability, allowing an escalated user to insert posts containing malicious JavaScript

Proof of Concept

It is possible for a remote attacker to elevate the privileges of any user to LP Instructor by sending a request to any location within wp-admin, such as wp-admin/admin-post.php with the action parameter set to accept-to-be-teacher and the user_id parameter set to an arbitrary user ID. This is possible because the learn_press_accept_become_a_teacher function runs on the plugins_loaded action and lacks nonce checks and capability checks.

Affects Plugins

Fixed in 3.2.6.9

References

CVE

URL

https://www.wordfence.com/blog/2020/04/high-severity-vulnerabilities-patched-in-learnpress/

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Ramuel Gall (Wordfence)

Submitter

Ramuel Gall

Verified

No

WPVDB ID

22b2cbaa-9173-458a-bc12-85e7c96961cd

Timeline

Publicly Published

2020-04-28 (about 5 years ago)

Added

2020-04-28 (about 5 years ago)

Last Updated

2020-04-29 (about 5 years ago)

Other

Published

Title

Published

2024-10-16

Title

Miniorange OTP Verification with Firebase < 3.6.1 - Privilege Escalation via Registration due to Administrator Default User Role Value

Published

2024-09-06

Title

WPCOM Member < 1.5.3 - Unauthenticated Privilege Escalation via User Meta

Published

2026-01-12

Title

User Profile Builder < 3.15.2 - Unauthenticated Arbitrary Password Reset

Published

2023-07-31

Title

Shop as a Customer for WooCommerce < 1.1.8 - Subscriber+ Privilege Escalation

Published

2025-03-06

Title

InWave Jobs <= 3.5.1 - Unauthenticated Privilege Escalation