CVE-2022-3360

Name of the Vulnerable Software and Affected Versions LearnPress WordPress plugin versions prior to 4.1.7.2

Description The issue arises from the unserialization of user input in a REST API endpoint, which is accessible to unauthenticated users. This could lead to PHP Object Injection when a suitable gadget is present, resulting in remote code execution (RCE). To exploit this, attackers must have knowledge of the site secrets, enabling them to generate a valid hash via the wp hash() function.

Recommendations For versions prior to 4.1.7.2, update to version 4.1.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API endpoint to minimize the risk of exploitation.