Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-11868

CWE-284 — Improper Access Control5 documents5 sources

Severity

5.3MEDIUM

EPSS

15.1%

top 5.42%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Thimpress Learnpress Thimpress Learnpress – Wordpress LMS Plugin FOR Create AND Sell Online Courses

Timeline

PublishedDec 10

Description

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.3 via class-lp-rest-material-controller.php. This makes it possible for unauthenticated attackers to extract potentially sensitive paid course material.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5thimpress/learnpress_–_wordpress_lms_plugin_for_create_and_sell_online_courses4.2.7.3

▶NVDthimpress/learnpress< 4.2.7.4

🔴Vulnerability Details

CVEList

LearnPress – WordPress LMS Plugin <= 4.2.7.3 - Course Material Sensitive Information Exposure via REST API↗2024-12-10

▶

GHSA

GHSA-fwxq-9276-7658: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4↗2024-12-10

▶

VulnCheck

thimpress learnpress Improper Access Control↗2024

▶

💥Exploits & PoCs

Nuclei

LearnPress < 4.2.7.4 - Course Material - Information Disclosure

▶