Stored Cross-Site Scripting Vulnerability in LearnPress Plugin for WordPress
CVE-2024-10010

Currently unrated

Key Information:

Vendor
Wordpress
Status
Learnpress
Vendor
CVE Published:
12 December 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

CVE-2024-10010 refers to a high-severity Stored Cross-Site Scripting vulnerability found in the LearnPress WordPress plugin before version 4.2.7.2. This security flaw arises from improper sanitization and escaping of certain settings, which allows high privilege users, such as administrators, to execute malicious scripts. Even in environments where the unfiltered_html capability has been disabled, such as in multisite configurations, the vulnerability can be exploited, increasing the risk of unauthorized code execution and compromising the overall security of the WordPress site.

Affected Version(s)

LearnPress 0 < 4.2.7.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10010 - Proof of Concept

References

https://wpscan.com/vulnerability/8a258d33-a354-4cbb-bfcb-...
exploitvdb-entrytechnical-description

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
WPScan
.