CVE-2024-8522 in LearnPress Plugin
Summary
by MITRE • 09/12/2024
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_only_fields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/31/2025
The LearnPress WordPress LMS plugin presents a critical SQL injection vulnerability (CVE-2024-8522) that affects all versions up to and including 4.2.7. This vulnerability exists within the REST API endpoint at /wp-json/learnpress/v1/courses where the 'c_only_fields' parameter is inadequately sanitized. The flaw stems from insufficient input validation and escaping mechanisms that fail to properly prepare user-supplied data before incorporating it into database queries. Security researchers have identified this as a direct violation of secure coding practices that should prevent malicious input from altering the intended query execution flow.
The technical implementation of this vulnerability allows unauthenticated attackers to manipulate the SQL query structure through the 'c_only_fields' parameter, effectively appending additional SQL operations to existing database queries. This injection capability enables attackers to construct malicious SQL statements that can extract sensitive information from the underlying database without requiring any authentication credentials or privileged access. The vulnerability operates at the database layer where the plugin fails to implement proper parameterized queries or adequate input sanitization, creating a pathway for data exfiltration and potential system compromise.
From an operational perspective, this vulnerability poses significant risks to WordPress installations using the LearnPress plugin, particularly those hosting educational content, user data, and course materials. Attackers can leverage this flaw to extract user credentials, course information, payment data, and other sensitive database records that may contain personal identifiable information. The impact extends beyond simple data theft as the vulnerability could potentially serve as a foothold for further attacks, including privilege escalation or lateral movement within the compromised WordPress environment. Organizations running these vulnerable versions face increased exposure to data breaches and regulatory compliance violations.
The vulnerability aligns with CWE-89, which specifically addresses SQL injection flaws in software applications. It also maps to ATT&CK technique T1213.002, representing data from information repositories, as attackers can systematically extract database contents through this injection vector. The lack of proper input validation and query preparation represents a fundamental security flaw that violates core principles of secure application development. Organizations should immediately implement mitigations including plugin updates to versions that address this vulnerability, implementing web application firewalls to monitor and block suspicious API requests, and conducting comprehensive security audits of their WordPress installations. Additionally, database access controls should be reviewed to limit the potential impact of successful exploitation, and regular security monitoring should be implemented to detect anomalous API activity patterns that may indicate exploitation attempts.