Blind SQL Injection Vulnerability Affects LifterLMS
CVE-2024-7349

7.2HIGH

Key Information:

Vendor: Chrisbadgett
Status: Lifterlms – WP Lms For Elearning, Online Courses, & Quizzes
Vendor: CVE Published:; 6 September 2024

Summary

The LifterLMS plugin for WordPress is susceptible to a blind SQL Injection vulnerability arising from failed input validation and insufficient escaping for the 'order' parameter. This security flaw affects all versions of the plugin up to and including 7.7.5. Authenticated attackers with administrator-level access can exploit this vulnerability to inject additional SQL queries into the application's existing SQL commands, potentially allowing them to extract sensitive information from the database. This type of vulnerability poses a significant risk to the integrity and confidentiality of the data managed by the impacted product.

Affected Version(s)

LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes * <= 7.7.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3139798/lift...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 6, 2024
Vulnerability Reserved
Jul 31, 2024

Credit

Furkan K.