CVE-2024-9609: LearnPress Export Import – WordPress extension for LearnPress <= 4.0.4 - Reflected Cross-Site Scripting
First published: Fri Nov 15 2024(Updated: )
The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'learnpress_import_form_server' parameter in all versions up to, and including, 4.0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ThimPress LearnPress Export Import | <4.0.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c7429367-f9f4-4859-9537-0f543e32870a?source=cve
- https://plugins.trac.wordpress.org/browser/learnpress-import-export/trunk/inc/admin/views/import.php#L23
- https://plugins.trac.wordpress.org/browser/learnpress-import-export/trunk/inc/admin/providers/learnpress/class-lp-import-learnpress.php#L90
- https://plugins.trac.wordpress.org/changeset/3186901/learnpress-import-export/trunk/inc/admin/views/import.php
- https://plugins.trac.wordpress.org/changeset/3186901/learnpress-import-export/trunk/inc/admin/providers/learnpress/class-lp-import-learnpress.php
Frequently Asked Questions
What is the severity of CVE-2024-9609?
CVE-2024-9609 is categorized as a medium severity vulnerability due to its potential for reflected cross-site scripting.
How do I fix CVE-2024-9609?
To fix CVE-2024-9609, update the LearnPress Export Import plugin to version 4.0.5 or later.
What versions are affected by CVE-2024-9609?
CVE-2024-9609 affects all versions of the LearnPress Export Import plugin up to and including version 4.0.4.
What type of vulnerability is CVE-2024-9609?
CVE-2024-9609 is a reflected cross-site scripting vulnerability caused by insufficient input sanitization.
How can attackers exploit CVE-2024-9609?
Attackers can exploit CVE-2024-9609 by sending specially crafted requests containing malicious scripts through the 'learnpress_import_form_server' parameter.
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/severity
- agent/event
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/trending
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/thimpress
- canonical/thimpress learnpress export import