A popular wordpress learning management system, called LearnPress, was vulnerable to multiple critical severity vulnerabilities. This includes SQL injection and local file inclusion. The vulnerability was patched on December 20, 2022 with the release of version 4.2.0. However more than a month later, only 25% of the websites which have installed the plugin have upgraded to the fixed version. That leaves around 75,000 websites that are potentially exposing themselves to the critical security vulnerabilities. These vulnerabilities would allow attackers to display the contents of the local files stores on the web server and also allow disclosure of potential sensitive information, allows for data modification and in some cases code execution.
This segment was created for the It’s 5:05 podcast