Description

WordPress Plugin Good LMS-Learning Management System is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Plugin Good LMS-Learning Management System version 2.1.4 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 2.1.5 or latest

References

https://www.exploit-db.com/exploits/49033

https://gist.github.com/0xx7/a7aaa8b0515139cf7e30c808c8d54070

https://packetstormsecurity.com/files/160034/WordPress-Good-LMS-2.1.4-SQL-Injection.html

https://codecanyon.net/item/good-lms-learning-management-system-wp-plugin/9033850

Related Vulnerabilities

MySQL Other Vulnerability (CVE-2006-1517)

WordPress Plugin KJM Admin Notices Cross-Site Scripting (2.0.1)

Osclass Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2014-8083)

Drupal Core 9.4.x Remote Code Execution (9.4.0 - 9.4.2)

osCommerce Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-43715)

Severity

High

Classification

CVE-2020-27481 CWE-89 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update SQL Injection