CVE-2023-6567: Thimpress LearnPress SQL Injection Flaw

CVE-2023-6567 Overview

CVE-2023-6567 is a time-based SQL injection vulnerability in the LearnPress plugin for WordPress, a learning management system used by WordPress sites to deliver online courses. The flaw affects all versions up to and including 4.2.5.7 and exists in the handling of the order_by parameter. Insufficient escaping of user-supplied input and inadequate preparation of the underlying SQL query allow unauthenticated attackers to append additional SQL statements to existing queries. Successful exploitation enables extraction of sensitive data from the WordPress database, including user credentials and personal information. The issue is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

Critical Impact

Unauthenticated attackers can extract sensitive database contents — including credential hashes and student data — from any WordPress site running a vulnerable LearnPress installation.

Affected Products

• ThimPress LearnPress plugin for WordPress, all versions through 4.2.5.7
• WordPress sites with LearnPress installed and active
• LMS deployments built on the LearnPress framework (courses, quizzes, lessons)

Discovery Timeline

• 2024-01-11 - CVE-2023-6567 published to NVD
• 2026-04-08 - Last updated in NVD database

Technical Details for CVE-2023-6567

Vulnerability Analysis

The vulnerability resides in LearnPress query-building logic that consumes the order_by request parameter without proper sanitization or parameterized binding. Because the parameter is concatenated into a raw SQL statement, an attacker can inject SQL fragments that the database executes alongside the intended query. The injection is time-based, meaning attackers infer data by triggering conditional delays (for example, with SLEEP() or BENCHMARK() functions) and observing response latency. This technique works even when results are not echoed back in HTTP responses, making the flaw exploitable as a blind injection.

Exploitation requires no authentication and no user interaction, and it is reachable over the network through standard HTTP requests to the affected plugin endpoints. The EPSS score of 82.255% places this CVE in the 99th percentile of vulnerabilities most likely to be exploited, reflecting the active interest in WordPress plugin SQLi flaws.

Root Cause

The root cause is twofold: the plugin fails to escape the order_by parameter against an allowlist of valid column names, and it does not use prepared statements with bound parameters for the surrounding query. WordPress provides $wpdb->prepare() for parameter binding, but order-by clauses cannot be parameterized directly and must be validated against a strict allowlist. LearnPress omitted that validation in vulnerable releases.

Attack Vector

An attacker sends a crafted HTTP request to a LearnPress endpoint that accepts the order_by parameter — typically course listing, profile, or query endpoints. The malicious value contains SQL syntax that closes the original clause and appends a conditional time-delay payload. By scripting many such requests, the attacker extracts data bit by bit from tables such as wp_users, retrieving usernames, password hashes, and session tokens. Technical details and the corresponding patch are documented in the WordPress Plugin Change Log and the Wordfence Vulnerability Report.

Detection Methods for CVE-2023-6567

Indicators of Compromise

• HTTP requests containing the order_by parameter with SQL keywords such as SLEEP, BENCHMARK, UNION, SELECT, or comment markers (--, #, /*)
• Unusually long response times from LearnPress endpoints, especially on pages that list courses, instructors, or user profiles
• Repeated requests from the same IP iterating over single-character payloads consistent with blind SQLi extraction
• Web server access logs showing high request volume to /wp-admin/admin-ajax.php or LearnPress REST routes with malformed query strings

Detection Strategies

• Enable database query logging on the WordPress MySQL instance and alert on queries containing SLEEP( or BENCHMARK( originating from the LearnPress code path
• Deploy web application firewall (WAF) rules that inspect the order_by parameter for SQL metacharacters and block requests that fail validation
• Correlate slow HTTP responses with parameter content to identify time-based blind injection attempts

Monitoring Recommendations

• Monitor authentication events and password reset activity following any suspicious LearnPress traffic, since credential hashes may have been exfiltrated
• Track the LearnPress plugin version inventory across all managed WordPress sites and alert when a host runs a version at or below 4.2.5.7
• Review WordPress audit logs for unexpected administrative account creation or privilege changes

How to Mitigate CVE-2023-6567

Immediate Actions Required

• Update LearnPress to version 4.2.5.8 or later on every affected WordPress site without delay
• If immediate patching is not possible, deactivate the LearnPress plugin until the upgrade can be applied
• Rotate WordPress administrator passwords and force a password reset for all LearnPress users, assuming credentials may have been exposed
• Audit the wp_users and LearnPress course tables for anomalous entries created during the exposure window

Patch Information

ThimPress released the fix in LearnPress 4.2.5.8. The patch introduces strict allowlist validation of the order_by parameter and improves query preparation to prevent concatenation of attacker-controlled input. The specific code changes are documented in the LearnPress changeset 3013957.

Workarounds

• Configure a WAF rule to reject requests where the order_by parameter contains characters outside [A-Za-z0-9_] or values not present in an allowlist of valid columns
• Restrict access to LearnPress endpoints by IP allowlist or authentication while patching is scheduled
• Place the WordPress database user behind least-privilege controls so that the LearnPress connection cannot read tables outside its required scope

# Example WAF rule (ModSecurity) to block suspicious order_by values
SecRule ARGS:order_by "!@rx ^[A-Za-z0-9_]{1,64}$" \
    "id:1006567,phase:2,deny,status:403,\
    msg:'CVE-2023-6567 LearnPress order_by SQLi attempt',\
    logdata:'order_by=%{ARGS.order_by}'"