Blind SQL Injection Vulnerability Affects LifterLMS
CVE-2024-7349

7.2HIGH

Key Information:

Vendor
Chrisbadgett
Status
Lifterlms – WP Lms For Elearning, Online Courses, & Quizzes
Vendor
CVE Published:
6 September 2024

Summary

The LifterLMS plugin for WordPress is susceptible to a blind SQL Injection vulnerability arising from failed input validation and insufficient escaping for the 'order' parameter. This security flaw affects all versions of the plugin up to and including 7.7.5. Authenticated attackers with administrator-level access can exploit this vulnerability to inject additional SQL queries into the application's existing SQL commands, potentially allowing them to extract sensitive information from the database. This type of vulnerability poses a significant risk to the integrity and confidentiality of the data managed by the impacted product.

Affected Version(s)

LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes * <= 7.7.5

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Furkan K.
.