CVE-2024-6099
published 2024-07-02CVE-2024-6099: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including…
PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.42%
33.6th percentile
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the 'check_validate_fields' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | microsoft_edge | — | — |
| msrc | microsoft_edge_extended_stable | — | — |
| thimpress | learnpress | < 4.2.6.8.2 | 4.2.6.8.2 |
| thimpress | learnpress_wordpress_lms_plugin_for_create_and_sell_online_courses | <= 4.2.6.8.1 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cwx6-fw99-mwh9: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and includi
ghsa_unreviewed·2024-07-02
CVE-2024-6099 [MEDIUM] CWE-420 GHSA-cwx6-fw99-mwh9: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and includi
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the 'check_validate_fields' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.
Microsoft
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
vendor_msrc·2024-02-13·CVSS 8.3
CVE-2024-21399 [HIGH] CWE-416 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.98
2/1/2024
121.0.6167.139/140
Extended Stable
120.0.2210.167
2/1/2024
120.0.6099.276
FAQ: According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?
This vulnerability could lead to a browser sandbox escape.
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit
Microsoft
Chromium: CVE-2024-1060 Use after free in Canvas
vendor_msrc·2024-02-13·CVSS 8.8
CVE-2024-1060 [HIGH] Chromium: CVE-2024-1060 Use after free in Canvas
Chromium: CVE-2024-1060 Use after free in Canvas
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.98
2/1/2024
121.0.6167.139/140
Extended Stable
120.0.2210.167
2/1/2024
120.0.6099.276
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can
Microsoft
Chromium: CVE-2024-1059 Use after free in WebRTC
vendor_msrc·2024-02-13·CVSS 8.8
CVE-2024-1059 [HIGH] Chromium: CVE-2024-1059 Use after free in WebRTC
Chromium: CVE-2024-1059 Use after free in WebRTC
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.98
2/1/2024
121.0.6167.139/140
Extended Stable
120.0.2210.167
2/1/2024
120.0.6099.276
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can
Microsoft
Chromium: CVE-2024-1077 Use after free in Network
vendor_msrc·2024-02-13·CVSS 8.8
CVE-2024-1077 [HIGH] Chromium: CVE-2024-1077 Use after free in Network
Chromium: CVE-2024-1077 Use after free in Network
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.98
2/1/2024
121.0.6167.139/140
Extended Stable
120.0.2210.167
2/1/2024
120.0.6099.276
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can
Microsoft
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
vendor_msrc·2024-01-09·CVSS 8.3
CVE-2024-21385 [HIGH] CWE-416 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
FAQ: What is the version information for this release?
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.83
1/25/2024
121.0.6167.85/.86
Extended Stable
120.0.2210.160
1/25/2024
120.0.6099.268
FAQ: Why is the severity for this CVE rated as Moderate, but the CVSS score is higher than normal?
Per our severity guidelines, the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity, specifically it says, "If a bug requires more than a click, a key press, or several preconditions, the severity will be downgraded". The CVSS scoring system doesn't allow for this type of nuance.
FAQ: According to the CVSS metric,
Microsoft
Adobe Systems Incorporated: CVE-2024-20721 Improper Input Validation Denial of Service Vulnerability
vendor_msrc·2024-01-09·CVSS 5.5
CVE-2024-20721 [MEDIUM] Adobe Systems Incorporated: CVE-2024-20721 Improper Input Validation Denial of Service Vulnerability
Adobe Systems Incorporated: CVE-2024-20721 Improper Input Validation Denial of Service Vulnerability
FAQ: What is the version information for this release?
Microsoft Edge Channel
Microsoft Edge Version
Based on Chromium Version
Date Released
Stable
120.0.2210.133
120.0.6099.216/217
1/11/2024
FAQ: Why is this Adobe CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Adobe Software which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
Click on Help and Feedback
Cl
Microsoft
Microsoft Edge for Android Spoofing Vulnerability
vendor_msrc·2024-01-09·CVSS 5.3
CVE-2024-21387 [MEDIUM] CWE-357 Microsoft Edge for Android Spoofing Vulnerability
Microsoft Edge for Android Spoofing Vulnerability
FAQ: What is the version information for this release?
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.83
1/25/2024
121.0.6167.85/.86
Extended Stable
120.0.2210.160
1/25/2024
120.0.6099.268
FAQ: According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?
An attacker who successfully exploited this vulnerability could cover and spoof elements of the UI. The modified information is only visual.
Microsoft Edge for Android: Microsoft Edge for Android
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Spoofing
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest
Microsoft
Microsoft Edge (Chromium-based) Spoofing Vulnerability
vendor_msrc·2024-01-09·CVSS 3.3
CVE-2024-21383 [LOW] CWE-347 Microsoft Edge (Chromium-based) Spoofing Vulnerability
Microsoft Edge (Chromium-based) Spoofing Vulnerability
FAQ: What is the version information for this release?
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.83
1/25/2024
121.0.6167.85/.86
Extended Stable
120.0.2210.160
1/25/2024
120.0.6099.268
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
An attacker must send the user a malicious file and convince them to open it.
FAQ: According to the CVSS metrics, successful exploitation of this vulnerability could lead to no loss of confidentiality (C:N), some loss of integrity (I:L) but have no effect on availability (A:N). How could an attacker impact the PDF File Signature?
An attacker could spoof the PDF signature
Microsoft
Adobe Systems Incorporated: CVE-2024-20709 Javascript Implementation PDF Vulnerability
vendor_msrc·2024-01-09·CVSS 5.5
CVE-2024-20709 [MEDIUM] Adobe Systems Incorporated: CVE-2024-20709 Javascript Implementation PDF Vulnerability
Adobe Systems Incorporated: CVE-2024-20709 Javascript Implementation PDF Vulnerability
Description: This CVE was assigned by Adobe Systems Incorporated. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ: What is the version information for this release?
Microsoft Edge Channel
Microsoft Edge Version
Based on Chromium Version
Date Released
Stable
120.0.2210.133
120.0.6099.216/217
1/11/2024
FAQ: Why is this Adobe CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Adobe Software which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is
Microsoft
Microsoft Edge for Android Information Disclosure Vulnerability
vendor_msrc·2024-01-09·CVSS 4.3
CVE-2024-21382 [MEDIUM] CWE-942 Microsoft Edge for Android Information Disclosure Vulnerability
Microsoft Edge for Android Information Disclosure Vulnerability
FAQ: According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?
Exploitation of this vulnerability only discloses limited information, no sensitive information can be obtained.
FAQ: What is the version information for this release?
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.83
1/25/2024
121.0.6167.85/.86
Extended Stable
120.0.2210.160
1/25/2024
120.0.6099.268
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
In a web-based attack scenario, an attacker could host a website (or leverag
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.6.8.1/inc/class-lp-checkout.php#L124https://plugins.trac.wordpress.org/changeset/3109339/https://www.wordfence.com/threat-intel/vulnerabilities/id/7ee714c7-4c9b-4627-9ba9-f83aeca6a0a5?source=cvehttps://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.6.8.1/inc/class-lp-checkout.php#L124https://plugins.trac.wordpress.org/changeset/3109339/https://www.wordfence.com/threat-intel/vulnerabilities/id/7ee714c7-4c9b-4627-9ba9-f83aeca6a0a5?source=cve
2024-07-02
Published