LearnPress is a popular Learning Management System (LMS) plugin for WordPress, used by educators and organizations to create online courses, quizzes, and manage learning materials. A critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-13127, has been discovered in the plugin. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the “Decimal separator” field in the plugin’s general settings. The injected script is then executed when the “Order Details” page is viewed, potentially allowing attackers to take over the accounts of admins or other users. With over 100,000 active installations, this vulnerability presents a serious security risk to WordPress websites using LearnPress.
| CVE | CVE-2024-13127 |
| Plugin | LearnPress – WordPress LMS Plugin < 4.2.7.5.1 |
| Critical | High |
| All Time | 4 944 500 |
| Active installations | 100 000+ |
| Publicly Published | January 17, 2025 |
| Last Updated | January 17, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13127 https://wpscan.com/vulnerability/003ac248-74db-4b83-af0b-aa37ffb9b3d3/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 24, 2024 | Plugin testing and vulnerability detection in the Master Slider have been completed |
| December 24, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 17, 2025 | Registered CVE-2024-13127 |
Discovery of the Vulnerability
The vulnerability was discovered during a security review of LearnPress. It was found that the plugin fails to properly sanitize user input in the “Decimal separator” field, located in the plugin’s general settings. This field allows users to define a decimal separator for numerical values in the system. However, the plugin does not properly validate or sanitize input in this field, allowing an attacker to inject JavaScript. The injected JavaScript is then saved in the WordPress database, where it is executed when the “Order Details” page is rendered on the frontend. This flaw stems from inadequate input sanitization in the plugin’s settings, allowing malicious scripts to be executed.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious JavaScript into a website, which is executed when a user visits the page. This type of attack is particularly dangerous because it allows the attacker to hijack sessions, steal credentials, or perform actions on behalf of the user. XSS vulnerabilities are often found in WordPress plugins that handle user input without proper sanitization. A well-known example of XSS in WordPress occurred in the WPForms plugin, where attackers were able to inject JavaScript into form fields. Similarly, CVE-2024-13127 exploits the same type of flaw in LearnPress, allowing JavaScript injection into the “Decimal separator” field, which is later executed when users view the “Order Details” page.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13127, an attacker with editor-level privileges:
POC:
1) Go to main settings -> 127.0.0.1/wordpress/wp-admin/admin.php?page=learn-press-settings&tab=general 2) Change "Decimal separator" field to <img src=x onerror=alert(1)> 3) To trigger XSS you should go to any Order Details____
The risks posed by CVE-2024-13127 are significant. If exploited, an attacker could hijack an administrator’s session, gaining full control of the WordPress site. Once the attacker gains admin access, they can modify content, install malicious plugins, steal sensitive user data, or deface the site. In a real-world scenario, an attacker could use this vulnerability to escalate their privileges by hijacking an admin’s session or creating a backdoor admin account, giving them persistent control of the site even after the vulnerability is patched. This is especially concerning for websites handling sensitive information, such as e-commerce sites, educational platforms, and membership websites. A successful exploitation of this vulnerability could lead to data breaches, financial losses, and reputational damage.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-13127, administrators should immediately update the LearnPress plugin to the latest patched version once a fix is released. Additionally, administrators should restrict the unfiltered_html capability for non-admin users, especially editors, to prevent them from injecting JavaScript into plugin settings. It is essential to properly sanitize and validate all user input, especially in fields that affect the frontend, such as the “Decimal separator” field. Implementing Content Security Policies (CSP) and performing regular security audits can help detect and block potential XSS vulnerabilities before they can be exploited. Limiting user permissions and reviewing user roles periodically can also help prevent privilege escalation attacks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13127, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
