LearnPress WordPress LMS Plugin Data Modification Vulnerability via Unauthenticated REST API Access

A vulnerability exists in the LearnPress WordPress LMS Plugin, affecting all versions up to and including 4.2.9.2. The issue arises from inadequate capability checks on Admin Tools REST endpoints, which are registered with a permission callback that allows unrestricted access. This flaw enables unauthenticated attackers to execute harmful database operations, such as removing indexes from any table (including critical WordPress core tables like wp_options), duplicating configuration entries, and impairing site performance through the /wp-json/lp/v1/admin/tools/create-indexs endpoint, provided they can specify the target table names.

Impact

Exploitation of this vulnerability allows for unauthorized data modification in the WordPress database, including disruptive changes to core tables that can degrade site performance.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /wp-json/lp/v1/admin/tools/create-indexs endpoint without authentication. The request must include table names as parameters. The absence of proper authorization checks on this endpoint allows for the manipulation of database indexes, which can disrupt normal site operations.

Remediation

Users are advised to update the LearnPress WordPress LMS Plugin to version 4.2.9.4 or a newer patched version.