WordPress Plugin Vulnerabilities

LearnPress Plugin < 4.2.0 - Unauthenticated SQLi

Description

The plugin does not properly sanitise and escape the order by parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users

Affects Plugins

Plugin icon
learnpress
Fixed in 4.2.0

References

CVE
CVE-2022-45808

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Fadilah Agung Nugraha
Verified
No
WPVDB ID
d65bcf8e-f72c-4c5b-b073-e72001369637

Timeline

Publicly Published
2023-01-24 (about 3 years ago)
Added
2023-01-24 (about 3 years ago)
Last Updated
2023-01-24 (about 3 years ago)

Other

Published
Title
Published
2024-06-06
Title
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress < 9.0.2 - Authenticated (Contributor+) SQL Injection
Published
2015-06-02
Title
LeagueManager <= 3.9.11 - Unauthenticated SQL Injection
Published
2024-08-17
Title
TrueBooker < 1.0.3 - Multiple Unauthenticated SQLi
Published
2025-05-29
Title
Infility Global <= 2.14.51 - Subscriber+ SQL Injection
Published
2022-12-05
Title
Contest Gallery < 19.1.5 - Unauthenticated SQL Injection