CVE-2020-6010
published 2020-04-30CVE-2020-6010: LearnPress Wordpress plugin version prior and including 3.2.6.7 is vulnerable to SQL Injection
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
49.23%
98.7th percentile
LearnPress Wordpress plugin version prior and including 3.2.6.7 is vulnerable to SQL Injection
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thimpress | learnpress | <= 3.2.6.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable sink is the _get_items method within the LP_Modal_Search_Items class; monitor for unsanitized use of the GET/POST parameter 'current_items' in SQL queries. ↗
- →The exploit requires an authenticated session; look for the presence of 'wp_learn_press_session_*' and 'wordpress_logged_in_*' cookies alongside suspicious POST bodies to post-new.php. ↗
- →CVE-2020-6010 is a time-based blind SQL injection; monitor for anomalous database response latency correlated with requests to post-new.php containing 'current_items' parameter. ↗
- ·Exploitation requires an authenticated session (any registered user); unauthenticated exploitation is not possible for this specific CVE. ↗
- ·The vulnerability affects LearnPress versions 3.2.6.7 and below; versions 3.2.6.8 and above (patched at 3.2.7) are not affected. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)
exploitdb·2021-07-19·CVSS 8.8
CVE-2020-6010 [HIGH] WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)
WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)
---
# Exploit Title: WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)
# Date: 07-17-2021
# Exploit Author: nhattruong or nhattruong.blog
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: /wp-admin
2. Login with a cred
3. Execute the payload
POST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/post-new.php?post_t
Metasploit
Wordpress LearnPress current_items Authenticated SQLi
metasploit
Wordpress LearnPress current_items Authenticated SQLi
Wordpress LearnPress current_items Authenticated SQLi
LearnPress, a learning management plugin for WordPress, prior to 3.2.6.8 is affected by an authenticated SQL injection via the current_items parameter of the post-new.php page.
Tenable
WordPress E-Learning Plugin Vulnerabilities Range from Cheating to Remote Code Execution
blogs_tenable·2020-04-30
WordPress E-Learning Plugin Vulnerabilities Range from Cheating to Remote Code Execution
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
E-Learning Platforms Getting Schooled – Multiple Vulnerabilities in WordPress’ Most Popular Learning Management System Plugins
blogs_checkpoint·2020-04-29
CVE-2020-6008 E-Learning Platforms Getting Schooled – Multiple Vulnerabilities in WordPress’ Most Popular Learning Management System Plugins
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## E-Learning Platforms Getting Schooled – Multiple Vulnerabilities in WordPress’ Most Popular Learning Management System Plugins
Research by: Omri Herscovici and Sagi Tzadik
## Overview
Bugzilla
CVE-2020-11042 freerdp: out-of-bounds read in update_read_icon_info function
bugzilla·2020-05-13·CVSS 5.5
CVE-2020-11042 [MEDIUM] CVE-2020-11042 freerdp: out-of-bounds read in update_read_icon_info function
CVE-2020-11042 freerdp: out-of-bounds read in update_read_icon_info function
In FreeRDP greater than 1.1 and before 2.0.0, there is an out-of-bounds read in update_read_icon_info. It allows reading a attacker-defined amount of client memory (32bit unsigned -> 4GB) to an intermediate buffer. This can be used to crash the client or store information for later retrieval. This has been patched in 2.0.0.
References:
https://github.com/FreeRDP/FreeRDP/issues/6010
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9jp6-5vf2-cx2q
Upstream commit:
https://github.com/FreeRDP/FreeRDP/commit/6b2bc41935e53b0034fe5948aeeab4f32e80f30f
Discussion:
Created freerdp tracking bugs for this issue:
Affects: epel-all [bug 1835385]
Affects: fedora-all [bug 1835383]
Created freerdp1.2 tracking bug
http://packetstormsecurity.com/files/163536/WordPress-LearnPress-SQL-Injection.htmlhttps://plugins.trac.wordpress.org/browser/learnpress/trunk/readme.txt?rev=2288975https://research.checkpoint.com/2020/e-learning-platforms-getting-schooled-multiple-vulnerabilities-in-wordpress-most-popular-learning-management-system-plugins/https://wordpress.org/plugins/learnpress/#developershttp://packetstormsecurity.com/files/163536/WordPress-LearnPress-SQL-Injection.htmlhttps://plugins.trac.wordpress.org/browser/learnpress/trunk/readme.txt?rev=2288975https://research.checkpoint.com/2020/e-learning-platforms-getting-schooled-multiple-vulnerabilities-in-wordpress-most-popular-learning-management-system-plugins/https://wordpress.org/plugins/learnpress/#developers
2020-04-30
Published