Blind SQL Injection Vulnerability Affects LifterLMS
CVE-2024-7349
Key Information:
- Vendor
- Chrisbadgett
- Status
- Lifterlms – WP Lms For Elearning, Online Courses, & Quizzes
- Vendor
- CVE Published:
- 6 September 2024
Summary
The LifterLMS plugin for WordPress is susceptible to a blind SQL Injection vulnerability arising from failed input validation and insufficient escaping for the 'order' parameter. This security flaw affects all versions of the plugin up to and including 7.7.5. Authenticated attackers with administrator-level access can exploit this vulnerability to inject additional SQL queries into the application's existing SQL commands, potentially allowing them to extract sensitive information from the database. This type of vulnerability poses a significant risk to the integrity and confidentiality of the data managed by the impacted product.
Affected Version(s)
LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes * <= 7.7.5
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved