cbcvebase.
CVE-2023-6634
published 2024-01-11

CVE-2023-6634: The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
8.54%
94.4th percentile
The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
thimpresslearnpress<= 4.2.5.7
thimpresslearnpress_wordpress_lms_plugin_for_create_and_sell_online_courses<= 4.2.5.7

Detection & IOCsextracted from sources · hover to see the quote

otherLearnPress {{randstr}}')
  • CVE-2023-6634 exploits the `get_content` function in LearnPress (≤4.2.5.7) via PHP `call_user_func` with user-supplied input, allowing unauthenticated callers to invoke any public PHP function with one parameter — monitor for unexpected PHP function calls originating from unauthenticated HTTP requests to LearnPress endpoints.
  • Probe payloads for this CVE produce an HTTP 200 response; detection rules should flag 200-status responses to LearnPress `get_content` requests that contain randomised/fuzzing strings (e.g. template-injection markers like `{{randstr}}`) in the body or parameters.
  • ·The vulnerability affects ALL versions of the LearnPress WordPress plugin up to and including 4.2.5.7; any site running this version range is exposed to unauthenticated RCE.
  • ·No authentication is required to exploit this vulnerability, meaning it is exposed to the entire internet without any credential barrier.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.