WordPress Plugin Vulnerabilities

LearnPress – WordPress LMS Plugin < 4.2.7.4 - Course Material Sensitive Information Exposure via REST API

Description

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.3 via class-lp-rest-material-controller.php. This makes it possible for unauthenticated attackers to extract potentially sensitive paid course material.

Affects Plugins

Plugin icon
learnpress
Fixed in 4.2.7.4

References

CVE
CVE-2024-11868
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7bd43980-9193-4a63-adba-720dd1b11699

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
abrahack
Verified
No
WPVDB ID
7524ffd8-3506-48f7-89b6-d07b40533756

Timeline

Publicly Published
2024-12-09 (about 1 year ago)
Added
2024-12-10 (about 1 year ago)
Last Updated
2024-12-10 (about 1 year ago)

Other

Published
Title
Published
2019-08-09
Title
Woody Ad Snippets < 2.2.6 - Arbitrary Post Deletion
Published
2021-12-06
Title
Tab - Accordion, FAQ < 1.3.2 - Unauthenticated AJAX Calls
Published
2024-01-23
Title
illi Link Party! <= 1.0 - Unauthenticated Arbitrary Link Deletion
Published
2024-06-14
Title
AIomatic - Automatic AI Content Writer < 2.0.6 - Unauthenticated Arbitrary Email Sending
Published
2024-03-04
Title
Maintenance Mode < 3.0.2 - Unauthenticated Post/Page Content Disclosure