Vulnerability Description
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 4.2.6.5. This is due to missing checks in the 'create_account' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Thimpress | Learnpress | < 4.2.6.6 |
Related Weaknesses (CWE)
References
- https://inky-knuckle-2c2.notion.site/Improper-Authentication-in-checkout-leads-pExploit
- https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.6.5/inc/class-lp-Broken Link
- https://plugins.trac.wordpress.org/changeset/3082204/Broken Link
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c9e1410f-10c9-4654-8b6Third Party Advisory
- https://inky-knuckle-2c2.notion.site/Improper-Authentication-in-checkout-leads-pExploit
- https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.6.5/inc/class-lp-Broken Link
- https://plugins.trac.wordpress.org/changeset/3082204/Broken Link
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c9e1410f-10c9-4654-8b6Third Party Advisory
FAQ
What is CVE-2024-4444?
CVE-2024-4444 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 4.2.6.5. This is due to missing checks in the 'create_account'...
How severe is CVE-2024-4444?
CVE-2024-4444 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-4444?
Check the references section above for vendor advisories and patch information. Affected products include: Thimpress Learnpress.