CVE-2024-2115 Overview
CVE-2024-2115 affects the LearnPress – WordPress LMS Plugin for WordPress in all versions up to and including 4.0.0. The vulnerability is a Cross-Site Request Forgery (CSRF) flaw caused by missing or incorrect nonce validation on the filter_users function. Unauthenticated attackers can elevate privileges to a teacher role by tricking a site administrator into clicking a crafted link. The issue is classified under CWE-352 and impacts WordPress sites running vulnerable LearnPress installations.
Critical Impact
Successful exploitation grants attackers teacher-level privileges on affected WordPress sites, enabling unauthorized course management and access to learning management system functions.
Affected Products
- Thimpress LearnPress WordPress LMS Plugin versions up to and including 4.0.0
- WordPress sites running vulnerable LearnPress installations
- Administrators authenticated to vulnerable LearnPress instances
Discovery Timeline
- 2024-04-05 - CVE-2024-2115 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2024-2115
Vulnerability Analysis
The vulnerability resides in the filter_users function within the LearnPress admin code. The function fails to validate a WordPress nonce before processing requests. An attacker can craft a malicious HTML page or link that issues a request to the vulnerable endpoint when an authenticated administrator visits it. The browser automatically includes the administrator's session cookies, and the server processes the request as legitimate. The result is unauthorized privilege escalation to the teacher role.
Exploitation requires user interaction. The attacker must trick an authenticated administrator into clicking a crafted link or visiting an attacker-controlled page. Once triggered, the action executes with the administrator's session context. The vulnerability is exploitable over the network without authentication on the attacker side.
Root Cause
The root cause is missing or incorrect nonce validation on the filter_users function in inc/admin/class-lp-admin.php. WordPress nonces are tokens designed to verify that a request originated from a legitimate source. Without proper check_admin_referer() or wp_verify_nonce() calls, the plugin cannot distinguish between requests initiated by a logged-in administrator and forged requests carried by the administrator's browser.
Attack Vector
The attack vector is network-based and requires user interaction. The attacker hosts a malicious page or distributes a link through phishing channels. When an authenticated WordPress administrator visits the page, the browser submits a forged request to the vulnerable LearnPress endpoint. The server executes the privilege change because no nonce check rejects the request. No prior authentication or credentials are required on the attacker's side.
For technical details on the patch, review the WordPress Changeset 4.0.1 and the Wordfence Vulnerability Report.
Detection Methods for CVE-2024-2115
Indicators of Compromise
- Unexpected user role changes to teacher in the WordPress users table
- HTTP POST or GET requests to LearnPress admin endpoints lacking valid _wpnonce parameters
- Administrator session activity originating from external referrers immediately before role escalation events
- New or modified user accounts with elevated LearnPress capabilities not initiated by site staff
Detection Strategies
- Audit WordPress user role assignments and compare against authorized change records
- Inspect web server logs for requests to the filter_users endpoint with suspicious Referer headers pointing to external domains
- Monitor LearnPress plugin version across all WordPress installations to identify instances at or below version 4.0.0
- Review WordPress audit logs for unexplained capability assignments tied to administrator sessions
Monitoring Recommendations
- Enable a WordPress activity logging plugin to record user role modifications with source IP and referrer
- Alert on HTTP requests to LearnPress administrative endpoints originating from non-internal referrers
- Track plugin version inventory across the WordPress fleet and flag installations running vulnerable LearnPress releases
How to Mitigate CVE-2024-2115
Immediate Actions Required
- Update the LearnPress – WordPress LMS Plugin to version 4.0.1 or later on all affected WordPress sites
- Audit current user roles and revoke any teacher accounts that were not legitimately provisioned
- Train WordPress administrators to avoid clicking unsolicited links while authenticated to the admin dashboard
- Force-logout active administrator sessions after patching to invalidate any in-flight forged actions
Patch Information
Thimpress addressed the vulnerability in LearnPress version 4.0.1. The fix adds proper nonce validation to the filter_users function in inc/admin/class-lp-admin.php. Site operators should apply the update through the WordPress plugin manager or by deploying the patched release from the official LearnPress repository. Review the WordPress Changeset 4.0.1 for the exact code changes.
Workarounds
- Restrict access to the WordPress admin panel by IP allowlisting at the web server or WAF layer until the patch is applied
- Deploy a web application firewall rule that blocks requests to LearnPress admin endpoints lacking a valid _wpnonce parameter
- Require administrators to use a separate browser profile or session strictly for WordPress administration to reduce CSRF exposure
- Temporarily deactivate the LearnPress plugin on sites where patching cannot be completed immediately
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
