LearnPress WordPress LMS Plugin Payment Bypass Vulnerability in Courses

A vulnerability exists in the LearnPress WordPress LMS Plugin for creating and selling online courses, affecting all versions up to and including 4.3.5. The issue allows authenticated users with subscriber-level access and above to bypass payment for courses. This is achieved by manipulating the quantity parameter in the REST API, which is not properly sanitized. The unsanitized data is passed to the add_to_cart function, where it can overwrite default values. By setting the quantity to zero, attackers can make the order total zero, effectively enrolling in paid courses for free and bypassing payment gateway requirements.

Impact

Exploitation of this vulnerability allows for unauthorized enrollment in paid courses, bypassing all payment requirements.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can send a request to the 'add-course-to-cart' endpoint of the LearnPress REST API. The request must include a quantity value of zero. This will override the default quantity value, which is typically set to one, and cause the order total to be calculated as zero. Once the request is processed, the user will be enrolled in the course without having to make any payment.

Remediation

Users are advised to update the LearnPress WordPress LMS Plugin to version 4.3.6 or a newer patched version.