#VU27425 Permissions, Privileges, and Access Controls in LearnPress - WordPress LMS Plugin - CVE-2020-11511

Cybersecurity Help s.r.o.

Published: 2020-04-29 | Updated: 2021-11-25

Vulnerability identifier: #VU27425

Vulnerability risk: High

CVSSv4.0: 7.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-11511

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
LearnPress - WordPress LMS Plugin
Web applications / Modules and components for CMS

Vendor: ThimPress

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to the "LP Instructor" role grants the "unfiltered_html" capability. A remote attacker can send a specially crafted request to "wp-admin/admin-post.php" with the "action" parameter set to "accept-to-be-teacher" and the "user_id" parameter set to the ID of the user and elevate the permissions of a user of their choice.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

LearnPress - WordPress LMS Plugin: 2.2.1 - 3.2.6.8

External links
https://wpvulndb.com/vulnerabilities/10195/
https://www.wordfence.com/blog/2020/04/high-severity-vulnerabilities-patched-in-learnpress/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in LearnPress – WordPress LMS Plugin