CVE-2024-1289 in LearnPress Plugin
Summary
by MITRE • 04/09/2024
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.6.3 due to missing validation on a user controlled key when looking up order information. This makes it possible for authenticated attackers to obtain information on orders placed by other users and guests, which can be leveraged to sign up for paid courses that were purchased by guests. Emails of other users are also exposed.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/14/2026
The vulnerability identified as CVE-2024-1289 affects the LearnPress WordPress LMS plugin, a widely used educational platform that enables website administrators to create and manage online courses. This security flaw represents a critical Insecure Direct Object Reference vulnerability that exists across all plugin versions up to and including 4.2.6.3. The vulnerability stems from insufficient input validation within the plugin's order lookup functionality, specifically failing to properly validate user-controlled parameters when accessing order information. This weakness creates a significant security gap that allows authenticated attackers to bypass normal access controls and retrieve sensitive order data that should be restricted to authorized users.
The technical implementation of this vulnerability occurs within the plugin's order management system where it accepts direct object references without proper authorization checks. When an attacker submits a request containing a user-controlled key parameter, the system processes this input directly without validating whether the requesting user has legitimate access rights to view the specified order information. This flaw aligns with CWE-284, which describes improper access control mechanisms that allow unauthorized access to resources. The vulnerability operates at the application level where the plugin fails to implement proper object reference validation, making it possible for malicious actors to manipulate the order lookup process by simply changing the object identifier in the request.
The operational impact of this vulnerability extends beyond simple information disclosure, creating a comprehensive security breach that can be exploited for unauthorized course access and user data exposure. Attackers can leverage this vulnerability to view order details of other users and guests, potentially gaining access to payment information, course purchase records, and user email addresses. This exposure creates a pathway for unauthorized individuals to sign up for paid courses that were originally purchased by guests or other users, effectively enabling fraudulent course access. The exposure of user emails represents an additional privacy concern that could be exploited for spam campaigns or social engineering attacks. According to ATT&CK framework technique T1078, this vulnerability enables credential access and privilege escalation by allowing unauthorized access to user accounts and their associated data.
Mitigation strategies for this vulnerability should focus on immediate patching of the LearnPress plugin to the latest secure version that addresses the Insecure Direct Object Reference flaw. Administrators should implement proper input validation and authorization checks on all user-controlled parameters that reference application objects. The recommended approach involves adding comprehensive access control mechanisms that verify user permissions before allowing order information retrieval, implementing proper object reference validation, and ensuring that all order lookup operations require proper authentication and authorization. Additionally, network monitoring should be enhanced to detect unusual patterns of order information access that might indicate exploitation attempts. Organizations should also consider implementing role-based access controls and regular security audits of their WordPress plugins to prevent similar vulnerabilities from being introduced through third-party components. The vulnerability demonstrates the critical importance of proper access control implementation in web applications and highlights the need for thorough security testing of all user-facing interfaces that handle sensitive data.