Critical flaws in online courses plugins have affected 75k WordPress websites

Multiple critical security flaws were found in the WordPress online course plugin “LearnPress”, including local file inclusion and pre-auth SQL injection.

LearnPress plugin allows WordPress sites to create, sell, and manage online lessons and courses. It provides a user-friendly interface and requires no programming knowledge.

discovered the vulnerabilities in the plugin that were used on over 100,000 sites and reported them to the vendor.

These issues were resolved with LearnPress 4.2.0 on December 20, 2022. show that only 25% of those affected have updated.

LearnPress versions on active installations


This could mean that around 75,000 sites may be using LearnPress in a vulnerable form, which exposes them to serious security vulnerabilities, which can lead to severe consequences.

Details about vulnerability

CVE-20222-47615 is the first PatchStack vulnerability. This flaw allows an attacker to view the content of files on the web server.

This could lead to additional compromise by exposing credentials, authorization tokens and API keys.

The vulnerability is found in a piece of code that handles API requests for the website, located in the “list_courses” function, which does not validate certain variables ($template_pagination_path, $template_path, and $template_path_item) properly.

CVE-20222-47615 could be exploited by an attacker sending an API request that is specially written and using malign values to the variables.

CVE-20222-45808 is the second major flaw. This unauthenticated SQL injection could lead to data modification and sensitive information disclosure.

The vulnerability is in the function that processes SQL queries on the website. It does not properly validate and sanitize the $filter variable within the query parameters. This allows an attacker to insert malicious codes in it.

SQL injection example


The third flaw impacting older LearnPress versions is CVE-2022-45820, an authenticated SQL injection flaw in two shortcodes of the plugin (“learn_press_recent_courses” and “learn_press_featured_courses”) failing to properly validate and sanitize the input of the “$args” variable.

PatchStack demonstrated how an ‘Administrator’ user can trigger SQL injection by using a shortcode that was inserted on a post.

To limit the vulnerability, the user must be able to create or edit a blog post.

This vendor addressed the issues above by creating an allowlist, sanitizing the sensitive variables and eliminating the possibility of user input containing templates.

Site owners who rely on LearnPress should upgrade to 4.2.0, or deactivate the plugin until the security update is available.