CVE-2024-8522

CRITICAL EXPLOITED NUCLEI

LearnPress - WordPress LMS Plugin <4.2.7 - SQL Injection

Title source: llm

Exploitation Summary

CVE-2024-8522 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Francisco Moraga (BTshell), Avento, abrahack, Valentin Lobstein, Achref Ben Thameur a.k.a achrefthameur, including a Metasploit module auxiliary/scanner/http/wp_learnpress_c_fields_sqli. A Nuclei detection template is also available.

AI-analyzed exploit summary The provided exploit demonstrates a SQL injection vulnerability in the LearnPress WordPress plugin (versions <= 4.2.7) via the unauthenticated API endpoint parameter 'c_only_fields'. The PoC includes a Python script that tests for the vulnerability by measuring response time delays caused by injected SQL payloads.

Description

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_only_fields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Exploits (3)

exploitdb WORKING POC

by Francisco Moraga (BTshell) · textwebappsphp

https://www.exploit-db.com/exploits/52171

View Code ZIP pw:eip

The provided exploit demonstrates a SQL injection vulnerability in the LearnPress WordPress plugin (versions <= 4.2.7) via the unauthenticated API endpoint parameter 'c_only_fields'. The PoC includes a Python script that tests for the vulnerability by measuring response time delays caused by injected SQL payloads.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: LearnPress WordPress LMS Plugin <= 4.2.7

No auth needed

Prerequisites: Target running LearnPress WordPress plugin version <= 4.2.7 · Access to the LearnPress API endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by Avento · infoleak

https://github.com/Avento/CVE-2024-8522

View Code ZIP pw:eip

This repository contains a proof-of-concept for an unauthenticated SQL injection vulnerability in LearnPress WordPress LMS Plugin versions <= 4.2.7. The exploit leverages the 'c_only_fields' parameter in a REST API endpoint to inject malicious SQL payloads, demonstrated via a time-based blind SQLi technique.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: LearnPress WordPress LMS Plugin <= 4.2.7

No auth needed

Prerequisites: Target must have LearnPress WordPress LMS Plugin <= 4.2.7 installed · REST API endpoint must be accessible

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

by abrahack, Valentin Lobstein, Achref Ben Thameur a.k.a achrefthameur · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wp_learnpress_c_fields_sqli.rb

View Code ZIP pw:eip

This Metasploit module exploits unauthenticated SQL injection vulnerabilities (CVE-2024-8522 and CVE-2024-8529) in the LearnPress WordPress LMS Plugin via the 'c_only_fields' and 'c_fields' parameters. It uses time-based blind SQL injection to extract sensitive information such as user credentials.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: LearnPress WordPress LMS Plugin up to version 4.2.7

No auth needed

Prerequisites: Target running vulnerable LearnPress WordPress LMS Plugin · Network access to the target WordPress site

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

LearnPress < 4.2.7.1 - SQL Injection

CRITICALby pdresearch,iamnoooob,rootxharsh

Shodan: html:"/wp-content/plugins/learnpress"

FOFA: body="/wp-content/plugins/learnpress"

References (4)

Core 4

Core References

https://abrahack.com/posts/learnpress-sqli/

Product

https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/jwt/rest-api/version1/class-lp-rest-courses-v1-controller.php#L441

Patch

https://plugins.trac.wordpress.org/changeset/3148560/learnpress/tags/4.2.7.1/inc/jwt/rest-api/version1/class-lp-rest-courses-v1-controller.php?old=3138586&old_path=learnpress%2Ftags%2F4.2.7%2Finc%2Fjwt%2Frest-api%2Fversion1%2Fclass-lp-rest-courses-v1-controller.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/e495507d-7eac-4f38-ab6f-b8f0809b2be4?source=cve

Scores

CVSS v3 10.0

EPSS 0.8713

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-09-12

CWE

CWE-89

Status published

Products (2)

thimpress/learnpress < 4.2.7.1

thimpress/LearnPress – WordPress LMS Plugin for Create and Sell Online Courses < 4.2.7

Published Sep 12, 2024

Tracked Since Feb 18, 2026