CVE-2022-0377

Name of the Vulnerable Software and Affected Versions LearnPress WordPress plugin versions prior to 4.1.5

Description The issue allows users to upload an image as a profile avatar after registration, which is then cropped and saved. A "POST" request is sent to the server to rename and crop the image, changing the user-supplied image name to an MD5 value. This process is limited to JPG or PNG image types. An attacker can exploit this to rename an arbitrary image file, potentially disrupting the website's design.

Recommendations For versions prior to 4.1.5, update to version 4.1.5 or later to resolve the issue. As a temporary workaround, consider restricting the image upload functionality to trusted users or disabling the image cropping and renaming feature until the update is applied.