CVE-2024-1289

Name of the Vulnerable Software and Affected Versions LearnPress – WordPress LMS Plugin versions up to, and including, 4.2.6.3

Description The issue allows authenticated attackers to obtain information on orders placed by other users and guests due to missing validation on a user controlled key when looking up order information. This can be leveraged to sign up for paid courses that were purchased by guests, and emails of other users are also exposed.

Recommendations For versions up to, and including, 4.2.6.3, update to a version later than 4.2.6.3 to resolve the issue. As a temporary workaround, consider restricting access to order information lookup functionality until a patch is available.