Tens of thousands of WordPress websites are vulnerable to multiple high-severity flaws found in a popular plug-in, security researchers have claimed.
Experts at PatchStack discovered three vulnerabilities in LearnPress, a learning management system plugin that enables people with almost no coding knowledge to sell online courses and lessons through their WordPress websites.
The patch for the flaws in the website builder has been available for more than a month, but the researchers warn that only a (significant) minority have applied it so far.
A fix is available
The three vulnerabilities in question are CVE-2022-47615, a vulnerability that allows threat actors to view credentials, authentication tokens, API keys, and similar; CVE-2022-45808, an unauthenticated SQL injection vulnerability that enables arbitrary code execution, and CVE-2022-45820, an authenticated SQL injection flaw which can also lead to data exfiltration and arbitrary code execution.
PatchStack discovered the flaws between November 30 and December 2, 2022, and reported them to LearnPress soon after. The company came back with a fix on December 20, bringing LearnPress to version 4.2.0. However, so far just 25% of websites updated the plug-in, BleepingComputer reported citing WordPress.org statistical data.
Given that roughly 100,000 websites are currently actively using the plug-in, that would bring the total number of still vulnerable websites to approximately 75,000. As these are high-severity flaws with serious consequences, web admins are urged to apply the patch immediately, or disable the plugin until they do.
WordPress is the most popular website building platform in the world, and as such, it’s an attractive target for cybercriminals. While WordPress itself is relatively secure (less than 1% of all WP-related flaws fall on the platform), its plug-ins (and free plug-ins, to be more exact) are usually the weakest link. While they bring countless extra functionalities to the platform, it is paramount webmasters choose the right ones and make sure they are always updated.
Via: BleepingComputer (opens in new tab)