LearnPress WordPress LMS Plugin Missing Authorization Vulnerability Allows Arbitrary Quiz Answer Deletion

A vulnerability exists in the LearnPress WordPress LMS Plugin, specifically in versions through 4.3.2.8. The issue arises from a missing capability check in the 'delete_question_answer()' function within the 'EditQuestionAjax' class. While the 'AbstractAjax::catch_lp_ajax()' dispatcher verifies a wp_rest nonce, it does not perform a 'current_user_can()' check. Additionally, the 'QuestionAnswerModel::delete()' method only checks for minimum answer counts without considering user capabilities. This flaw enables authenticated attackers with Subscriber-level access or higher to delete answer options from any quiz question on the site.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of quiz question answers, potentially disrupting course assessments and grading.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the WordPress REST API to delete a quiz question answer. The request must include the 'lp-load-ajax' parameter set to 'delete_question_answer', the 'nonce' parameter for verification, and the 'question_answer_id' parameter specifying the ID of the answer to be deleted. The absence of a proper capability check allows this action to be performed without the necessary permissions.

Remediation

Users are advised to update the LearnPress WordPress LMS Plugin to version 4.3.3 or a newer patched version.