cbcvebase.
CVE-2024-11868
published 2024-12-10

CVE-2024-11868: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.3 via…

PriorityP278medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.11%
61.8th percentile
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.3 via class-lp-rest-material-controller.php. This makes it possible for unauthenticated attackers to extract potentially sensitive paid course material.

Affected

2 ranges
VendorProductVersion rangeFixed in
thimpresslearnpress< 4.2.7.44.2.7.4
thimpresslearnpress_wordpress_lms_plugin_for_create_and_sell_online_courses<= 4.2.7.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/lp/v1/material/item-materials/1
path/wp-content/plugins/learnpress/
pathclass-lp-rest-material-controller.php
  • Unauthenticated GET request to the REST endpoint /wp-json/lp/v1/material/item-materials/{id} with a 200 response and JSON body containing '"status"', '"success"', and '"message"' fields indicates active exploitation of CVE-2024-11868.
  • Successful exploitation response body contains the key '"file_name"' with a value, extractable via regex '"file_name"\s*:\s*"([^"]+)"', indicating paid course material was disclosed.
  • Response Content-Type header of 'application/json' combined with body words '"status"', '"success"', and '"message"' (and absence of 'rest_no_route' or 'No route was found') confirms a vulnerable LearnPress instance.
  • Presence of '/wp-content/plugins/learnpress/' in HTTP response body can be used to fingerprint potentially vulnerable LearnPress installations for targeted scanning.
  • ·The vulnerable endpoint uses a numeric item ID parameter (e.g., /1); attackers may enumerate IDs to extract multiple course materials. Detection rules should account for sequential or iterated requests to this endpoint path.
  • ·Exploitation requires no authentication (PR:N, UI:N per CVSS), meaning any unauthenticated HTTP GET to the REST endpoint is sufficient — no session cookie or token is needed in detection logic.
  • ·Affected versions are all LearnPress plugin versions up to and including 4.2.7.3; version 4.2.7.4 and above are patched. Version-based detection should flag installs at or below 4.2.7.3.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.