Description

WordPress Plugin LearnPress-WordPress LMS is prone to a vulnerability that lets remote attackers inject and execute arbitrary code because the application fails to sanitize user-supplied input before being passed to the unserialize() PHP function. Attackers can possibly exploit this issue to execute arbitrary PHP code within the context of the affected webserver process. WordPress Plugin LearnPress-WordPress LMS version 4.1.7.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 4.1.7.2 or latest

References

https://sploitus.com/exploit?id=WPEX-ID:ACEA7A54-A964-4127-A93F-F38F883074E3

https://wordpress.org/plugins/learnpress/#developers

Related Vulnerabilities

Drupal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2009-1844)

Oracle Database Server CVE-2006-0282 Vulnerability (CVE-2006-0282)

WordPress Plugin Tutor LMS-eLearning and online course solution Cross-Site Scripting (2.0.9)

WordPress Plugin Premium SEO Pack Multiple Vulnerabilities (1.8.0)

WordPress Plugin WP-Filebase Download Manager 'base' Parameter SQL Injection (0.2.9)

Severity

High

Classification

CVE-2022-3360 CWE-915 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update