WordPress Plugin Vulnerabilities

Learnpress < 3.2.6.8 - Authenticated Time Based Blind SQL Injection

Description

This could allow a low privilege user, to perform a time based SQL Injection attack and retrieve data from the DB, such as hashed passwords.

Affects Plugins

Plugin icon
learnpress
Fixed in 3.2.6.8

References

CVE
CVE-2020-6010
URL
https://research.checkpoint.com/2020/e-learning-platforms-getting-schooled-multiple-vulnerabilities-in-wordpress-most-popular-learning-management-system-plugins/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.5 (high)

Miscellaneous

Verified
No
WPVDB ID
b65a4c93-0f6d-461e-b3e0-7dbe29918335

Timeline

Publicly Published
2020-04-29 (about 6 years ago)
Added
2020-04-30 (about 6 years ago)
Last Updated
2020-05-02 (about 6 years ago)

Other

Published
Title
Published
2023-11-23
Title
Porto Theme - Functionality < 2.12.1 - Unauthenticated SQL Injection
Published
2023-05-10
Title
WP Replicate Post < 4.1 - Contributor+ SQL Injection
Published
2025-03-21
Title
WP Google Calendar Manager <= 2.1 - Authenticated (Subscriber+) SQL Injection
Published
2020-08-31
Title
Recall Products <= 0.8 - Authenticated SQL Injection
Published
2017-08-24
Title
WordPress 2.3.0-4.7.4 - Authenticated SQL injection