🏠 Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeiträge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden Überblick über die wichtigsten Aspekte der IT-Sicherheit in einer sich ständig verändernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch übersetzen, erst Englisch auswählen dann wieder Deutsch!

Google Android Playstore Download Button für Team IT Security

800+ IT News als RSS Feed abonnieren

Thema auswählen:

📚 LearnPress: 75,000 WordPress Websites at Risk from Critical Vulnerabilities

🕛 Zeit seit Veröffentlichung: 446 Tage, 2 Stunden 6 Minuten
📆 Veröffentlicht am: 25.01.2023 um 09:13 Uhr
💡 Newskategorie: Hacking
🔗 Quelle: blackhatethicalhacking.com

LearnPress: 75,000 WordPress Websites at Risk from Critical Vulnerabilities

Post Views: 4

Premium Content

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

LearnPress, a popular WordPress plugin for creating and selling online courses, has been found to contain multiple critical-severity flaws that were discovered by PatchStack.

Unfortunately, the plugin was found to contain multiple critical-severity vulnerabilities that were discovered by PatchStack, including pre-auth SQL injection and local file inclusion. These vulnerabilities can expose sensitive information, allow data modification, and enable arbitrary code execution. These vulnerabilities can expose sensitive information, allow data modification, and enable arbitrary code execution.

These vulnerabilities were discovered between November 30 and December 2, 2022 and reported to the software vendor.

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

Update available, 25% applied.

The plugin is used by over 100,000 active websites and was reported to the software vendor on December 2, 2022. The vendor fixed the issues on December 20, 2022 with the release of LearnPress version 4.2.0.
However, according to statistics from WordPress.org, only 25% of users have applied the update, leaving 75,000 websites at risk of exploitation.

LearnPress versions on active installations (WordPress)

The vulnerabilities could expose credentials, authorization tokens, and API keys, leading to further compromise, which can have serious repercussions.

Trending: Recon Tool: Shotlooter

The 3 Vulnerabilities

The first vulnerability, CVE-2022-47615, is an unauthenticated local file inclusion flaw that allows attackers to display the contents of local files stored on the web server. The second vulnerability, CVE-2022-45808, is an unauthenticated SQL injection that can potentially lead to sensitive information disclosure, data modification, and arbitrary code execution. The third vulnerability, CVE-2022-45820, is an authenticated SQL injection flaw in two shortcodes of the plugin.

SQL injection example (PatchStack)

The vendor has fixed these issues by introducing an allowlist and sanitization of the vulnerable variables or removing the ability to include templates in user input. Website owners relying on LearnPress are advised to either upgrade to version 4.2.0 or disable the plugin until they can apply the available security update.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link