LearnPress < 3.2.6.9 - Privilege Escalation to "LP Instructor"



Description
The LearnPress plugin through 3.2.6.8 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter. The "LP Instructor" role grants the "unfiltered_html" capability, allowing an escalated user to insert posts containing malicious JavaScript
Proof of Concept
It is possible for a remote attacker to elevate the privileges of any user to LP Instructor by sending a request to any location within wp-admin, such as wp-admin/admin-post.php with the action parameter set to accept-to-be-teacher and the user_id parameter set to an arbitrary user ID. This is possible because the learn_press_accept_become_a_teacher function runs on the plugins_loaded action and lacks nonce checks and capability checks.

Affects Plugin

fixed in version 3.2.6.9

References

CVE 2020-11511
URL https://www.wordfence.com/blog/2020/04/high-severity-vulnerabilities-patched-in-learnpress/

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Original Researcher Ramuel Gall (Wordfence)
Submitter Ramuel Gall
Views 560
Verified No
WPVDB ID 10195

Timeline

Publicly Published 2020-04-28 (28 days ago)
Added 2020-04-28 (27 days ago)
Last Updated 2020-04-29 (26 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin