Executive Summary

The LearnPress plugin for WordPress has a vulnerability due to a missing capability check in the delete_question_answer() function in all versions up to 4.3.2.8.

This vulnerability arises because the plugin exposes a wp_rest nonce in the public frontend HTML to unauthenticated visitors and uses that nonce as the only security measure for the lp-load-ajax AJAX dispatcher.

Since the delete_question_answer action lacks any capability or ownership check, unauthenticated attackers can exploit this by sending a crafted POST request with the publicly available nonce to delete any quiz answer option.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow unauthenticated attackers to delete quiz answer options within the LearnPress plugin.

Such unauthorized deletion can lead to data integrity issues and disruption of quiz functionality on affected WordPress sites.

The CVSS score of 9.1 indicates a high severity impact, with the potential for high impact on integrity and availability of data.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized POST requests targeting the LearnPress plugin's AJAX dispatcher, specifically the 'lp-load-ajax' endpoint with the 'delete_question_answer' action.

Since the vulnerability exploits a missing capability check and uses a publicly exposed wp_rest nonce, you can look for suspicious POST requests that include this nonce and attempt to delete quiz answers.

Commands to detect such activity might include using network monitoring tools or web server logs to filter POST requests to endpoints like '/wp-admin/admin-ajax.php' or the AJAX dispatcher URL with parameters related to 'delete_question_answer'.

• Use grep or similar tools on web server logs to find POST requests containing 'delete_question_answer': grep "POST.*delete_question_answer" /var/log/apache2/access.log
• Use network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to the AJAX endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'delete_question_answer'
• Check for unusual or repeated POST requests from unauthenticated IPs targeting the AJAX dispatcher with the nonce parameter.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the LearnPress plugin to a version later than 4.3.2.8 where the vulnerability is fixed.

If an update is not immediately possible, restrict access to the AJAX dispatcher endpoint by implementing firewall rules or web server access controls to block unauthenticated requests.

Additionally, monitor and block suspicious POST requests attempting to invoke the 'delete_question_answer' action.

Consider temporarily disabling the LearnPress plugin if the risk is high and no patch is available.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to delete quiz answer data without proper authorization due to missing capability checks in the LearnPress plugin.

While the CVE description does not explicitly mention compliance with standards such as GDPR or HIPAA, unauthorized deletion of data could potentially impact data integrity and availability requirements under these regulations.

Organizations relying on LearnPress for handling personal or sensitive data may face compliance risks if data deletion occurs without proper controls, as this could violate principles of data protection and accountability.

Useful 0 Not Useful 0