CVE-2022-45808 Scanner

LearnPress is a comprehensive Learning Management System (LMS) plugin designed for WordPress, allowing educators and institutions to create and manage online courses directly from their websites. Used by a variety of educational organizations, it supports course creation, quizzes, payment gateways, and other e-learning functionalities. The plugin simplifies the process of setting up online classes, making it accessible for schools, universities, and independent instructors worldwide. LearnPress’s integration with WordPress allows users to leverage a vast array of additional plugins and themes to enhance the user experience. Its popularity stems from its flexibility, ease of use, and the robust community that supports it. As a widely used tool, maintaining its security is crucial to protect educational content and user data.

SQL Injection (SQLi) is a critical vulnerability that can allow attackers to manipulate a web application's database through unsanitized inputs, potentially accessing, modifying, or deleting data. In this case, the vulnerability is time-based blind SQL injection, which means the attacker can infer data based on the response time of SQL queries. Exploiting this vulnerability requires no authentication, making it a severe threat to vulnerable systems. SQLi vulnerabilities are dangerous because they permit unauthorized viewing of data that could include sensitive business information, user details, and more. Often overlooked during the development process, robust input validation and parametrized queries are vital to preventing SQLi attacks. Failing to address such vulnerabilities can lead to significant data breaches and loss of user trust.

The vulnerability exists in the LearnPress Plugin’s handling of the 'c_search' parameter in the HTTP POST request to the '/wp-json/lp/v1/courses/archive-course' endpoint. An attacker can manipulate this parameter to execute arbitrary SQL commands on the database. This attack method is a time-based blind SQL injection, where the attacker appends a payload that causes the system to sleep, allowing them to infer database information based on the response delay. Essential details such as the application’s database structure and sensitive content can be exfiltrated using this technique. The SQL query embedded within the HTTP request manipulates the 'order_by' parameter to introduce the injection vector. The endpoint fails to properly sanitize this input, leaving it vulnerable to exploitation.

Exploitation of this SQLi vulnerability can have dire consequences, including unauthorized access to confidential data such as user credentials, personal information, and course material. Attackers might corrupt or delete critical data, disrupting the educational services provided by the affected institution. Furthermore, if an attacker manages to gain administrative privileges through the injection, they could manipulate the application’s content, potentially distributing malicious material. This breach could lead to severe reputational damage for the institution, legal ramifications, and a loss of participant trust. Therefore, it is imperative to patch the vulnerability to protect both the organization’s resources and its users.

REFERENCES

• https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-wordpress-lms-plugin-plugin-4-1-7-3-2-sql-injection?_s_id=cve
• https://github.com/RandomRobbieBF/CVE-2022-45808