CVE-2023-6567 — AI Deep Analysis Summary

🚨 **Essence**: Time-based SQL Injection in LearnPress plugin. 💥 **Consequences**: Attackers can steal sensitive DB data, compromise site integrity, and potentially take over the server.…

🛡️ **Root Cause**: CWE-89 (SQL Injection). 🐛 **Flaw**: Insufficient escaping of the `order_by` parameter + lack of prepared statements. The code blindly trusts user input when building SQL queries.

👥 **Affected**: WordPress Plugin **LearnPress**. 📦 **Versions**: 4.2.5.7 and earlier. 🏢 **Vendor**: ThimPress. If you run an LMS site with this plugin, you are at risk.

💀 **Hackers Can**: Extract `user_pass` hashes, dump entire database tables, and escalate privileges. 📂 **Data at Risk**: User credentials, course data, and potentially admin secrets. Full database access is possible.

🔓 **Threshold**: LOW. 🚫 **Auth Required**: None (Unauthenticated). 🌐 **Access**: Remote. Any visitor can trigger the exploit via the `/wp-json/lp/v1/courses/` endpoint. No login needed.

💣 **Public Exp?**: YES. 📜 **PoC**: Available on GitHub (mimiloveexe/CVE-2023-6567-poc). 🛠️ **Tools**: Works with `sqlmap` using the `-r` flag. Wild exploitation is highly likely given the ease of use.

🔍 **Self-Check**: Scan for `order_by` parameter in LearnPress API endpoints. 📡 **Detection**: Use Nuclei templates (projectdiscovery). 🧪 **Test**: Send time-delay payloads via `order_by` to detect blind SQLi responses.

🩹 **Fixed?**: YES. 📢 **Patch**: Update LearnPress to version > 4.2.5.7. 🔄 **Action**: Check WordPress plugin updates immediately. The vendor released a fix in changeset 3013957.

🚧 **No Patch?**: Disable the LearnPress plugin temporarily. 🛑 **Mitigation**: Block `/wp-json/lp/v1/` endpoints via WAF if possible. 🚫 **Best**: Remove the plugin if not actively used. Do not leave it exposed.

🔥 **Urgency**: CRITICAL. 🚨 **Priority**: Patch IMMEDIATELY. CVSS Score is High (3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Unauthenticated access makes this a top-tier threat. Act now!