Unauthenticated Attackers Can Bypass User Registration in LearnPress

CVE-2024-4444

5.3MEDIUM

Key Information

Vendor: Thimpress
Status: Learnpress – WordPress Lms Plugin
Vendor: Published:; 14 May 2024

Summary

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 4.2.6.5. This is due to missing checks in the 'create_account' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.

Affected Version(s)

LearnPress – WordPress LMS Plugin <= 4.2.6.5

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Timeline

Vulnerability published.
May 14, 2024
Disclosed
May 9, 2024
Vulnerability Reserved.
May 2, 2024

Collectors

NVD DatabaseMitre Database

Credit

1337_Wannabe

.