Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Multiple Critical Vulnerabilities in WordPress Plugin LearnPress
Alerts

Multiple Critical Vulnerabilities in WordPress Plugin LearnPress

25 January 2023

LearnPress, a WordPress learning management system (LMS) plugin, has released security updates to address multiple critical vulnerabilities.

The vulnerabilities are:

  • CVE-2022-47615: An unauthenticated local file inclusion vulnerability could allow an attacker to display contents of local files stored on the web server, potentially exposing credentials, authorisation tokens, and API keys.

  • CVE-2022-45808: An unauthenticated SQL injection vulnerability could allow an attacker to insert malicious code, potentially leading to sensitive information disclosure, data modification, and arbitrary code execution.

  • CVE-2022-45820: An authenticated SQL injection vulnerability could allow an attacker to insert malicious code, potentially leading to sensitive information disclosure, data modification, and arbitrary code execution.

Users and administrators of LearnPress are advised to upgrade to version 4.2.0 immediately.

More information is available here:

https://patchstack.com/articles/multiple-critical-vulnerabilities-fixed-in-learnpress-plugin-version/

https://www.bleepingcomputer.com/news/security/75k-wordpress-sites-impacted-by-critical-online-course-plugin-flaws/

Back to top