WordPress Plugin Vulnerabilities

LearnPress < 3.2.6.9 - Privilege Escalation to "LP Instructor"

Description

The LearnPress plugin through 3.2.6.8 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter. The "LP Instructor" role grants the "unfiltered_html" capability, allowing an escalated user to insert posts containing malicious JavaScript

Proof of Concept

It is possible for a remote attacker to elevate the privileges of any user to LP Instructor by sending a request to any location within wp-admin, such as wp-admin/admin-post.php with the action parameter set to accept-to-be-teacher and the user_id parameter set to an arbitrary user ID. This is possible because the learn_press_accept_become_a_teacher function runs on the plugins_loaded action and lacks nonce checks and capability checks.

Affects Plugins

Plugin icon
learnpress
Fixed in 3.2.6.9

References

CVE
CVE-2020-11511
URL
https://www.wordfence.com/blog/2020/04/high-severity-vulnerabilities-patched-in-learnpress/

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Ramuel Gall (Wordfence)
Submitter
Ramuel Gall
Verified
No
WPVDB ID
22b2cbaa-9173-458a-bc12-85e7c96961cd

Timeline

Publicly Published
2020-04-28 (about 3 years ago)
Added
2020-04-28 (about 3 years ago)
Last Updated
2020-04-29 (about 3 years ago)

Other

Published
Title
Published
2023-11-09
Title
WP User Frontend < 3.6.6 - Authenticated (Author+) Privilege Escalation
Published
2018-10-11
Title
WooCommerce <= 3.4.5 - Authenticated File Deletion to Privilege Escalation
Published
2019-08-03
Title
Travel Management < 1.7 - Unauthenticated Options Change
Published
2021-04-26
Title
Store Locator Plus < 5.9 - Authenticated Privilege Escalation
Published
2021-02-24
Title
Woocommerce Customers Manager < 26.5 - Arbitrary Account Creation/Update by Low Privilege Users