:quality(75)/cloudfront-us-east-1.images.arcpublishing.com/elcomercio/J2KPDLFI5JALPD2FGGQN65BSTY.jpg)
LearnPress, one of the most used plugins of WordPresshas three “critical” vulnerabilities that could affect more than 75,000 websites if the 4.2.0 update patch, which fixes security flaws such as SQL injection (intrusion code) by unauthenticated users, is not applied.
LOOK: Storing files in the cloud: risks and dangers to take into account to take care of our cybersecurity
LearnPress is an add-on to the Learning Management System (LMS) of WordPress that allows websites to easily create and sell online courses, lessons, and quizzes, since no coding knowledge is required to do so.
Researchers at WordPress security tool Patchstack, found three “critical” vulnerabilities in LearnPress over the past year 2022, so they informed the software provider to implement a solution, as explained on their website.
LOOK: Worldwide: Netflix will start charging for sharing the account at the end of March
Thanks to this, on December 20, 2022, version 4.2.0 of the LearnPress plugin was published, which corrected all the vulnerabilities reported by Patchstack. Nevertheless, only about 25% of websites using this plugin have applied this patchas shown by the data collected by WordPress.
In this sense, since LearnPress has more than 100,000 active installations, around 75,000 websites could still be affected by vulnerabilities found last yearwhich can trigger serious repercussions.
Regarding vulnerabilities, the first discovered by Patchstack is the CVE-2022-47615a mistake that allows including local files (LFI) in an unauthenticated way. This action allows attackers to display the content of local files on the web server.
LOOK: ChatGPT wrote an article in just 30 seconds and a freelance writer fears that it will take away his work
That is, you can compromise the security of files that may contain sensitive data such as passwords, credentials, authorization tokens, and API keys.
The second vulnerability is CVE-2022-45808, which allows unauthenticated SQL injections. An SQL injection is a method of infiltration of intrusive code. Thus, the attacker could potentially disclose sensitive information, modify data, and execute arbitrary code, that is, the ability to execute commands or in an application at the whim of the attacker.
LOOK: An AI shows what Disney World would look like if it were a creepy amusement park
Finally, the third bug found is CVE-2022-45820, which also has to do with SQL injections but authenticated because, to activate the injection, the user must have at least the role of collaborator on the website, according to Patchstack. This vulnerability can also lead to data leakage.
For all this, Patchstack recommends that owners of websites using LearnPress update to version 4.2.0 as soon as possible.
Source: Elcomercio
I have worked in the news industry for over 10 years. I have a vast amount of experience in writing and reporting. I have also worked as an author for a number of years, writing about technology and other topics.
I am a highly skilled and experienced journalist, with a keen eye for detail. I am also an excellent communicator, with superb writing skills. I am passionate about technology and its impact on our world. I am also very interested in current affairs and the latest news stories.
I am a hardworking and dedicated professional, who always strives to produce the best possible work. I am also a team player, who is always willing to help out others.
