Security researchers have claimed that tens of thousands of WordPress websites are vulnerable to several critical flaws found in a popular plugin.
The experts at PatchStack have discovered three vulnerabilities in LearnPress, a learning management system plugin that enables people with almost no coding knowledge to sell online courses and lessons through their WordPress sites.
The patch for the flaw in the Website Builder has been available for more than a month, but researchers warn that only a (significant) minority have applied it so far.
The fix is available
The three vulnerabilities in question are CVE-2022-47615, a vulnerability that allows threat actors to view credentials, authentication tokens, API keys, and the like; CVE-2022-45808, an uncertified SQL injection vulnerability that enables arbitrary code execution, and CVE-2022-45820, a validated SQL injection flaw that can also lead to data mining and arbitrary code execution.
PatchStack detected the defects between November 30 and December 2, 2022, and reported them to LearnPress shortly after. The company returned with a fix on December 20, bringing LearnPress to version 4.2.0. However, only 25% of websites have so far updated the plugin, PC Reported citing WordPress.org statistic data.
With approximately 100,000 websites currently actively using the plugin, this would bring the total number of websites still at risk to approximately 75,000. Since these are high-risk flaws with serious consequences, web administrators are urged to implement Patch immediately, or disable the plugin until they do.
WordPress is the most popular website builder platform in the world and therefore an attractive target for cybercriminals. While WordPress itself is relatively secure (less than 1% of all WP-related flaws fall on the platform), plugins (and free plugins, to be more precise) are usually the weakest link. While they bring countless additional functionality to the platform, it is crucial for webmasters to select the appropriate functionality and ensure that it is always up to date.
Via: BleepingComputer (Opens in a new tab)