Recently we improved the software used as part of our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities to function more similarly to our Plugin Security Checker. That now allows us to test out possible additions to the Plugin Security Checker before implementing in something that is accessible by others. Through a new check we were testing out (and have now implemented in the Plugin Security Checker) code in the plugin LearnPress was flagged as possibly having arbitrary file upload vulnerability. In looking in to that we found that while the code is vulnerable it is no longer run by the plugin, so it can’t be exploited directly through the plugin. Though it is possible it could be accessed through a vulnerability that allows running arbitrary PHP functions to run (like a vulnerability we spotted being introduced in to another plugin about a month ago).

...

---

This post provides insights on a vulnerability in the WordPress plugin LearnPress not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so the rest of its contents are limited to subscribers of our service.

If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the rest of the details of the vulnerability.

For existing customers, please log in to your account to view the rest of the contents of the post.

---

Plugin Security Scorecard Grade for LearnPress

Checked on August 13, 2024

See issues causing the plugin to get less than A+ grade