CVE-2024-4434 Overview
CVE-2024-4434 is an unauthenticated time-based SQL injection vulnerability in the LearnPress WordPress LMS Plugin developed by ThimPress. The flaw exists in versions up to and including 4.2.6.5 and stems from improper handling of the term_id parameter. Attackers can append SQL clauses to existing queries without authentication, enabling extraction of sensitive data from the underlying database. The vulnerable code resides in inc/Databases/class-lp-course-db.php, and the issue was remediated in WordPress plugin changeset 3082204. With LearnPress installed on more than 100,000 WordPress sites, the attack surface is broad.
Critical Impact
Unauthenticated attackers can extract database contents — including user credentials, session tokens, and personally identifiable information — through time-based blind SQL injection.
Affected Products
- ThimPress LearnPress WordPress LMS Plugin versions up to and including 4.2.6.5
- WordPress installations using LearnPress with default configurations
- Sites running the vulnerable class-lp-course-db.php query logic
Discovery Timeline
- 2024-05-14 - CVE-2024-4434 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2024-4434
Vulnerability Analysis
The vulnerability is classified under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. LearnPress accepts the term_id parameter from user input and concatenates it into an SQL query without sufficient escaping or parameterization. The query is executed via WordPress's $wpdb interface, but the affected path bypasses prepared statement protections. Because the injection point relies on response timing rather than direct output, attackers use time-based blind techniques — typically SLEEP() or BENCHMARK() payloads — to infer data character by character. The EPSS score of 77.09% (98.99 percentile) reflects widespread interest in exploiting this class of WordPress plugin SQL injection.
Root Cause
The root cause is insufficient sanitization of the term_id parameter combined with the absence of proper query preparation. The vulnerable code path in class-lp-course-db.php at line 508 constructs SQL strings using direct value interpolation instead of $wpdb->prepare() with placeholders. This allows attacker-controlled input to alter query structure.
Attack Vector
Attackers exploit this vulnerability remotely over the network without authentication or user interaction. A malicious HTTP request supplies a crafted term_id value containing SQL syntax such as conditional SLEEP clauses. The server's response delay reveals boolean conditions, allowing iterative extraction of database contents. Targets include wp_users records, password hashes, session tokens, and configuration data stored in wp_options. Technical write-ups documenting the payload structure are available in the Wordfence Vulnerability Report and the Notion SQL Injection Analysis.
Detection Methods for CVE-2024-4434
Indicators of Compromise
- HTTP requests containing SQL keywords such as SLEEP, BENCHMARK, UNION, or SELECT within the term_id parameter
- Anomalous request latencies on LearnPress endpoints, particularly those serving course or term data
- Repeated requests from the same source IP with incremental payload variations indicating blind extraction
- Unexpected outbound database queries originating from PHP worker processes during LearnPress request handling
Detection Strategies
- Inspect web server access logs for term_id parameter values that contain non-numeric content or URL-encoded SQL metacharacters
- Deploy Web Application Firewall (WAF) rules matching time-based SQL injection signatures targeting WordPress plugin endpoints
- Correlate slow query log entries in MySQL/MariaDB with HTTP requests to LearnPress routes
- Monitor for sequential probing patterns characteristic of automated blind SQLi tools such as sqlmap
Monitoring Recommendations
- Enable MySQL general query logging temporarily on suspected hosts to capture injected payloads
- Aggregate WordPress and database logs into a centralized analytics platform for cross-correlation
- Alert on response time outliers for LearnPress URLs that exceed baseline percentiles
- Track plugin version inventory across all WordPress hosts to identify exposed installations
How to Mitigate CVE-2024-4434
Immediate Actions Required
- Update LearnPress to version 4.2.6.6 or later, which contains the fix delivered in changeset 3082204
- Audit database logs and WordPress access logs for evidence of prior exploitation against the term_id parameter
- Rotate WordPress administrator passwords, API keys, and authentication salts if compromise is suspected
- Apply WAF virtual patching rules to block SQL injection payloads while patching is scheduled
Patch Information
ThimPress released a patched version of LearnPress that introduces proper input validation and prepared statements for the affected query. The fix is documented in the WordPress Changeset Update. Review the patched source against the WordPress LearnPress File Reference to verify deployment.
Workarounds
- Disable the LearnPress plugin until the patched version can be deployed if business operations allow
- Restrict access to LearnPress endpoints using IP allowlists or authentication gateways at the reverse proxy
- Configure WAF rules to reject requests where term_id contains non-integer characters
- Apply principle of least privilege to the WordPress database user, limiting it to the minimum required permissions
# Example WAF rule (ModSecurity) to block non-numeric term_id values
SecRule ARGS:term_id "!@rx ^[0-9]+$" \
"id:1004434,phase:2,deny,status:403,\
msg:'CVE-2024-4434 LearnPress term_id SQLi attempt',\
tag:'attack-sqli',tag:'CWE-89'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
