CVE-2023-6634
published 2024-01-11CVE-2023-6634: The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
8.54%
94.4th percentile
The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thimpress | learnpress | <= 4.2.5.7 | — |
| thimpress | learnpress_wordpress_lms_plugin_for_create_and_sell_online_courses | <= 4.2.5.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherLearnPress {{randstr}}')
- →CVE-2023-6634 exploits the `get_content` function in LearnPress (≤4.2.5.7) via PHP `call_user_func` with user-supplied input, allowing unauthenticated callers to invoke any public PHP function with one parameter — monitor for unexpected PHP function calls originating from unauthenticated HTTP requests to LearnPress endpoints. ↗
- →Probe payloads for this CVE produce an HTTP 200 response; detection rules should flag 200-status responses to LearnPress `get_content` requests that contain randomised/fuzzing strings (e.g. template-injection markers like `{{randstr}}`) in the body or parameters.
- ·The vulnerability affects ALL versions of the LearnPress WordPress plugin up to and including 4.2.5.7; any site running this version range is exposed to unauthenticated RCE. ↗
- ·No authentication is required to exploit this vulnerability, meaning it is exposed to the entire internet without any credential barrier. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3jrv-ghj9-h744: The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4
ghsa_unreviewed·2024-01-11
CVE-2023-6634 [HIGH] CWE-77 GHSA-3jrv-ghj9-h744: The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4
The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.
VulnCheck
thimpress learnpress Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
vulncheck·2023·CVSS 8.1
CVE-2023-6634 [HIGH] thimpress learnpress Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
thimpress learnpress Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.
Affected: thimpress learnpress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/learnpress/wordpress-learnpress-plugin-4-2-5-7-comman
No detection rules found.
Nuclei
LearnPress < 4.2.5.8 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-6634 [CRITICAL] LearnPress < 4.2.5.8 - Remote Code Execution
LearnPress {{randstr}}') "
- "status_code == 200"
condition: and
# digest: 4a0a00473045022100f54dae428ee5f42c00d75d4ffc16c11517aedf19746c3054290321f1c70be0b1022043b0dbfc9de12ebf77a453528251104246c7b351cef3e4d42fdac4b33c593433:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/3013957/learnpresshttps://www.wordfence.com/threat-intel/vulnerabilities/id/21291ed7-cdc0-4698-9ec4-8417160845ed?source=cvehttps://plugins.trac.wordpress.org/changeset/3013957/learnpresshttps://www.wordfence.com/threat-intel/vulnerabilities/id/21291ed7-cdc0-4698-9ec4-8417160845ed?source=cve
2024-01-11
Published
Exploited in the wild