CVE-2024-1289
First published: Tue Apr 09 2024(Updated: )
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.6.3 due to missing validation on a user controlled key when looking up order information. This makes it possible for authenticated attackers to obtain information on orders placed by other users and guests, which can be leveraged to sign up for paid courses that were purchased by guests. Emails of other users are also exposed.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Thimpress Learnpress | <4.2.6.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/description
- agent/first-publish-date
- agent/references
- agent/type
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/softwarecombine
- agent/tags
- vendor/thimpress
- canonical/thimpress learnpress