LifterLMS <= 3.34.5 - Unauthenticated Options Import



Description
Unauthenticated Options Import, which could lead to 
- Website Redirection
- Administrator Account Creation
- Content Injection
- Stored XSS

The issues have been reported as fixed in 3.35.0. However v3.35.1 added additional input sanitisation and filtering.

Affects Plugin

fixed in version 3.35.1

References

CVE 2019-15896
URL https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-lifterlms-plugin/

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Original Researcher Jerome Bruandet (nintechnet.com)
Views 4782
Verified No
WPVDB ID 9871

Timeline

Publicly Published 2019-09-09 (2 months ago)
Added 2019-09-09 (2 months ago)
Last Updated 2019-09-09 (2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin