CVE-2024-8529 - How a Dangerous SQL Injection Flaw in LearnPress Puts WordPress Sites at Risk

If you use LearnPress on your WordPress site, you must read this! In February 2024, a serious vulnerability—tracked as CVE-2024-8529—was discovered in the popular LearnPress – WordPress LMS Plugin. This bug allows unauthenticated attackers to steal secret data from your site's database by abusing the plugin's REST API. Below, I break down how it works, show a code example, and tell you how to protect your site.

What Is LearnPress?

LearnPress is a widely used Learning Management System (LMS) plugin for WordPress, currently running on more than 100,000 sites. It lets educators and schools easily manage online courses and students.

About CVE-2024-8529

Vulnerability Type: SQL Injection
Affected Plugin: LearnPress
Affected Versions: All up to and including 4.2.7
Patched Version: 4.2.8 (check for updates!)

Where’s The Problem?
The flaw lives in the /wp-json/lp/v1/courses/archive-course REST API endpoint. This endpoint doesn't properly sanitize data coming from the c_fields parameter. That means hackers can send special values to change the SQL query in a malicious way.

How the Attack Works

The attacker doesn’t need to log in—anyone can abuse this endpoint! By sending a crafted API request, they can dump sensitive information like user emails, password hashes, and even sensitive site configuration.

1. Find a Target That Runs LearnPress ≤ 4.2.7

Check if they use LearnPress and haven’t updated recently.

2. Craft a Malicious POST Request

You can use tools like curl or Postman to send this exploit.

curl -X POST "https://victim-site.com/wp-json/lp/v1/courses/archive-course"; \
  -H "Content-Type: application/json" \
  -d '{
        "c_fields": "id,(SELECT//user_email//FROM//wp_users//LIMIT/**/,1)"
      }'

Here, we inject

"c_fields": "id,(SELECT/<b>/user_email/</b>/FROM/<b>/wp_users/</b>/LIMIT/**/,1)"

3. See The Response

The REST API may return the injected value in its results. The attacker repeats with different offsets (LIMIT 1,1, etc.) to dump more data, like password hashes.

Note:
Some sites may use non-standard WordPress database table prefixes, so attackers might need to adjust wp_users if, for example, the prefix is abc_, use abc_users.

Below is a *simplified pseudocode* of where the plugin goes wrong

// Example of vulnerable code inside the API handler

$c_fields = $_POST['c_fields'] ?? 'id';

// No escaping!
$sql = "SELECT $c_fields FROM wp_lp_courses";
$result = $wpdb->get_results($sql);

Should be

$c_fields = esc_sql($_POST['c_fields'] ?? 'id');

// Even better: Use prepared statements!
$sql = $wpdb->prepare("SELECT %s FROM wp_lp_courses", $c_fields);
$result = $wpdb->get_results($sql);

But better yet, never use user input for SQL column names!

Data breaches & privacy violations.

- Attackers can pivot, take over admin accounts, deface your site, install malware, or send phishing emails to your users.

Update Immediately:

Go to the plugin page and update to version 4.2.8 or later.

Restrict REST API Access:

If you don't use this API, consider restricting it to trusted users/IPs using WordPress security plugins.

Monitor for strange API requests in your server logs.

## References / Further Reading

- Patchstack Security Advisory: CVE-2024-8529
- WordPress Plugin Directory: LearnPress
- Official LearnPress Changelog
- OWASP SQL Injection Cheat Sheet

Conclusion

CVE-2024-8529 is critically dangerous because it allows data theft from WordPress sites running LearnPress. It is trivial to exploit and affects all versions before 4.2.8. Protect your users and your site—update now!


*This write-up is an exclusive, clear-cut guide to CVE-2024-8529. Please share it with your colleagues to help keep the WordPress community safe!*

Timeline

Published on: 09/12/2024 08:30:46 UTC