Researchers say tens of thousands of WordPress sites are vulnerable to a number of serious bugs found in a popular plugin.
PatchStack experts discovered three vulnerabilities in LearnPress, a learning management system plugin that allows people with almost no coding knowledge to sell courses and lessons online through their WordPress sites.
A patch to fix errors in the website builder has been available for more than a month, but researchers warn that so far only a (significant) minority has applied it.
The fix is available
The three vulnerabilities in question are CVE-2022-47615, a vulnerability that allows attackers to view credentials, authentication tokens, API keys, and the like; CVE-2022-45808, an unauthenticated SQL injection vulnerability that could lead to arbitrary code execution, and CVE-2022-45820, an authenticated SQL injection vulnerability that could also lead to data exfiltration and arbitrary code execution.
PatchStack discovered the vulnerabilities between November 30 and December 2, 2022, and reported them to LearnPress shortly thereafter. The company came back with a fix on December 20, bringing LearnPress to version 4.2.0. However, so far only 25% of sites have updated the plugin, Beeping Computer reported, citing WordPress.org statistics.
Considering that approximately 100,000 websites are currently actively using the plugin, the total number of websites still vulnerable would be approximately 75,000. Since these are high-severity vulnerabilities, network administrators are advised to immediately apply a patch or disable the plugin until it is removed.
WordPress is the most popular website building platform in the world and as such is an attractive target for cybercriminals. While WordPress itself is relatively secure (less than 1% of all WP-related flaws fall to the platform), its plugins (more precisely, free plugins) tend to be the weakest link. While they provide countless extra features on the platform, it is paramount that webmasters choose the right ones and make sure they are always updated.
By: Beeping Computer (opens in a new tab)