CVE-2018-25019: 
WordPress vulnerability analysis and mitigation

CVE-2018-25019 affects the LearnDash LMS WordPress plugin versions before 2.5.4. The vulnerability was discovered on December 27, 2017, publicly disclosed on January 6, 2018, and was patched in version 2.5.4 released on January 3, 2018. This security flaw exists in the learndash_assignment_process_init() function, which lacks proper authorization and file validation mechanisms (NVD, WPScan).

The vulnerability stems from insufficient security controls in the learndash_assignment_process_init() function located in wp-content/plugins/sfwd-lms/includes/ld-assignment-uploads.php. The function fails to verify user authentication status or validate file uploads properly. While the plugin uses WordPress's wp_check_filetype() API function and removes filename extensions, this can be bypassed using double extensions (e.g., 'script.php.php' becomes 'script.php.'). The vulnerability has a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD, Full Disclosure).

The vulnerability allows unauthenticated users to upload arbitrary files to the web server, potentially leading to remote code execution. The uploaded PHP files, even with a trailing dot, can still be executed by default on servers running Apache with PHP CGI/FastCGI SAPI (Full Disclosure).

The vulnerability was fixed in LearnDash LMS version 2.5.4. Users should immediately upgrade to this version or newer to protect their installations. The fix was released on January 3, 2018, just one day after the vendor was notified of the vulnerability (Full Disclosure).