It's time for a reminder to ensure all of your WordPress plugins are fully up to date (or removed, if you don’t need them). Bleeping Computer reports that as many as 75,000 WordPress sites may be open to several flaws in a plugin called LearnPress. Worse, the update tally for users of the plugin isn’t doing particularly well, with a big slice of site owners still to update.
If you own or operate a website there is a very good chance it uses WordPress. More than 40 precent of websites use a version of it, and it’s used on more websites that all other website Content Management Systems (CMS) combined. One of the reasons it’s so popular is that it can be easily extended by adding plugins, of which there are tens of thousands.
Provided it is kept up to date and protected by two-factor authentication, WordPress itself is quite secure. Because of that, in recent years threat actors have focussed on exploiting it via vulnerabilities in plugins rather than attacking it directly.
LearnPress is a WordPress plugin used for creating and selling courses online, with extra paid options available for additional features. This is something which would no doubt have been popular over the pandemic, and indeed up to the present day, as companies continue to lean heavily on online and remote services only.
A ripe target, then, for exploitation and targeted attacks.
Somewhere in the region of 100,000 sites make use of the LearnPress plugin, all of which will need to upgrade to LearnPress 4.2.0 if they haven’t already.
The vulnerabilities are:
Patchstack discovered the three issues between the November 30, 2022 and December 4, 2022, with initial outreach on the same day as the first discovery, and subsequent details passed on over the following days. The issues were patched on December 20.
This is a fairly speedy turnaround compared to some of the other timeline notifications we've seen for plugins. Indeed, it's not uncommon to not hear back from a developer at all and discover the plugin has been abandoned. (If you ever find yourself dealing with an abandoned plugin, you'll need to untangle your site from it, which can cause additional complications and headaches for the site admin.)
Just to reiterate, upgrading your LearnPress install to version 4.2.0 is the way to lock these particular vulnerabilities down. With this done, you shouldn't have any more concerns.
As for your plugins generally, this may be the perfect time to have a quick spring clean of your site and see which plugins you need and which ones you don't:
If you can't make enough time available to keep on top of theme and plugins, don’t let not doing it become an option: Pay somebody to do it for you.
Stay safe out there!
We don't just report on threats–we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.