WordPress Plugin Vulnerabilities

LearnDash LMS < 4.5.3.1 - SQL Injection

Description

The plugin does not properly neutralize special elements used in an SQL command, leading to potential SQL injection vulnerability.

Affects Plugins

Plugin icon
sfwd-lms
Fixed in 4.5.3.1

References

CVE
CVE-2023-28777
URL
https://patchstack.com/database/vulnerability/sfwd-lms/wordpress-learndash-lms-plugin-4-5-3-contributor-sql-injection-vulnerability

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
d4ee76bb-f715-4e3e-8a72-4ce39f03f0e6

Timeline

Publicly Published
2023-10-31 (about 2 years ago)
Added
2023-11-03 (about 2 years ago)
Last Updated
2023-11-03 (about 2 years ago)

Other

Published
Title
Published
2022-05-09
Title
Note Press <= 0.1.10 - Admin+ SQLi via id
Published
2025-07-01
Title
LifterLMS < 8.0.7 - Unauthenticated SQL Injection
Published
2026-02-17
Title
Business Directory Plugin < 6.4.22 - Unauthenticated SQL Injection via payment Parameter
Published
2022-04-13
Title
WP Video Gallery <= 1.7.1 - Unauthenticated SQLi
Published
2025-03-14
Title
School Management System – WPSchoolPress < 2.2.18 - Teacher+ SQL Injection