Thousands of WordPress sites at risk from online course plug-in flaw

Wordpress brand logo on computer screen. Man typing on the keyboard.
(Image credit: Shutterstock/David MG)

Tens of thousands of WordPress websites are vulnerable to multiple high-severity flaws found in a popular plug-in, security researchers have claimed.

Experts at PatchStack discovered three vulnerabilities in LearnPress, a learning management system plugin that enables people with almost no coding knowledge to sell online courses and lessons through their WordPress websites.

The patch for the flaws in the website builder has been available for more than a month, but the researchers warn that only a (significant) minority have applied it so far.

TechRadar Pro needs you! We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

A fix is available

The three vulnerabilities in question are CVE-2022-47615, a vulnerability that allows threat actors to view credentials, authentication tokens, API keys, and similar; CVE-2022-45808, an unauthenticated SQL injection vulnerability that enables arbitrary code execution, and CVE-2022-45820, an authenticated SQL injection flaw which can also lead to data exfiltration and arbitrary code execution.

PatchStack discovered the flaws between November 30 and December 2, 2022, and reported them to LearnPress soon after. The company came back with a fix on December 20, bringing LearnPress to version 4.2.0. However, so far just 25% of websites updated the plug-in, BleepingComputer reported citing statistical data.

Given that roughly 100,000 websites are currently actively using the plug-in, that would bring the total number of still vulnerable websites to approximately 75,000. As these are high-severity flaws with serious consequences, web admins are urged to apply the patch immediately, or disable the plugin until they do.

WordPress is the most popular website building platform in the world, and as such, it’s an attractive target for cybercriminals. While WordPress itself is relatively secure (less than 1% of all WP-related flaws fall on the platform), its plug-ins (and free plug-ins, to be more exact) are usually the weakest link. While they bring countless extra functionalities to the platform, it is paramount webmasters choose the right ones and make sure they are always updated. 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.