CVE-2024-8529: 
WordPress vulnerability analysis and mitigation

The LearnPress WordPress LMS Plugin is affected by a critical SQL Injection vulnerability (CVE-2024-8529) in versions up to and including 4.2.7. The vulnerability exists in the 'c_fields' parameter of the /wp-json/lp/v1/courses/archive-course REST API endpoint. This security flaw was discovered in September 2024 and received a CVSS v3.1 score of 10.0 (Critical) from Wordfence, while NIST assigned it a score of 7.5 (High) (NVD, SecurityOnline).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the LearnPress REST API endpoint. This SQL injection flaw allows unauthenticated attackers to append additional SQL queries to existing ones, potentially enabling the extraction of sensitive information from the database. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD).

With over 90,000 active installations affected, the vulnerability's impact is significant. Successful exploitation could lead to the extraction of sensitive information including user credentials, personal data, and course-related information, database tampering (modification, deletion, or corruption of stored data), and potential full control over the site's data (SecurityOnline).

The developers have released version 4.2.7.1 to address this critical vulnerability. All users are strongly urged to update their LearnPress plugin to the latest version immediately to mitigate the risk (SecurityOnline).