Arbitrary User Password Change Vulnerability in LearnDash LMS WordPress Plugin

On June 5, 2023, our Wordfence Threat Intelligence team identified, and began the responsible disclosure process, for an Arbitrary User Password Change vulnerability in LearnDash LMS plugin, a WordPress plugin that is actively installed on more than 100,000 WordPress websites according to our estimates. This vulnerability makes it possible for any user with an existing account to reset arbitrary user passwords, including user accounts with administrative-level access.

Wordfence PremiumWordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 5, 2023. Sites still using the free version of Wordfence will receive the same protection on July 5, 2023.

We contacted the LearnDash team on June 5, 2023, and received a response the same day. After providing full disclosure details, the developer released a patch on June 6, 2023. We would like to commend the LearnDash support and development team for their prompt response and timely patch, which was released in just one day.

We urge users to update their sites with the latest patched version of LearnDash LMS, version 4.6.0.1 at the time of this writing, as soon as possible considering this is a vulnerability with a critical impact.

Vulnerability Summary from Wordfence Intelligence

Description: LearnDash LMS <= 4.6.0 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change
Affected Plugin: LearnDash LMS
Plugin Slug: sfwd-lms
Affected Versions: <= 4.6.0
CVE ID: CVE-2023-3105
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Lana Codes
Fully Patched Version: 4.6.0.1

The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with existing account access at any level, to change user passwords and potentially take over administrator accounts.

Technical Analysis

The LearnDash LMS plugin provides the shortcode ‘[ld_reset_password]‘ to embed a password reset form into a page on a WordPress site. The form allows users to submit their username or email address to receive an email with a password reset link containing a user activation key.

Examining the code reveals that the plugin checks that the user activation key belongs to the given user with the learndash_reset_password_verification() function only when displaying the new password form, where the new password can be entered.

if ( isset( $_GET['action'] ) && 'rp' === $_GET['action'] ) {
	$key        = ( isset( $_GET['key'] ) ? sanitize_text_field( wp_unslash( $_GET['key'] ) ) : '' );
	$user       = ( isset( $_GET['login'] ) ? get_user_by( 'login', sanitize_text_field( wp_unslash( $_GET['login'] ) ) ) : '' );
	$key_verify = learndash_reset_password_verification( $user, $key );
	if ( 'WP_Error' === get_class( $key_verify ) ) {
		$status['message'] = esc_html__( 'Invalid key, please check your reset password link and try again.', 'learndash' );
		$status['type']    = 'warning';
		$status['action']  = 'prevent_reset';
	}
}

Verifying the key at the ‘rp’ action

if ( isset( $_GET['action'] ) && 'rp' === $_GET['action'] && ! isset( $status ) ) {
	?>
	<form action="" method="POST">

Display the ‘rp’ form if the status is not an error

However, there is no user activation key check when processing this form. This makes it possible for any authenticated user who has accessed the password reset form via the link sent in the email to modify the password of another user by changing the value of the username hidden input field.

if (
	isset( $_POST['user_login'] )
	&& isset( $_POST['reset_password'] )
	&& ! empty( $_POST['learndash-reset-password-form-post-nonce'] )
	&& wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['learndash-reset-password-form-post-nonce'] ) ), 'learndash-reset-password-form-post-nonce' )
) {
	$new_password = sanitize_text_field( wp_unslash( $_POST['reset_password'] ) );
	$user         = get_user_by( 'login', sanitize_text_field( wp_unslash( $_POST['user_login'] ) ) );
	learndash_reset_password_set_user_new_password( $user, $new_password );
}

Processing the new password setting form

As with any Arbitrary User Password Change that leads to a Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.

Disclosure Timeline

June 5, 2023 – Discovery of the Arbitrary User Password Change vulnerability in LearnDash LMS.
June 5, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
June 5, 2023 – The vendor confirms the inbox for handling the discussion.
June 5, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
June 5, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.
June 6, 2023 – A fully patched version of the plugin, 4.6.0.1, is released.
July 5, 2023 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we have detailed an Arbitrary User Password Change vulnerability within the LearnDash LMS plugin affecting versions 4.6.0 and earlier. This vulnerability allows threat actors to easily take over websites by resetting the password of any user, including administrators. The vulnerability has been fully addressed in version 4.6.0.1 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of LearnDash LMS.

Wordfence PremiumWordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 5, 2023. Sites still using the free version of Wordfence will receive the same protection on July 5, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

Did you enjoy this post? Share it!

Comments

3 Comments
  • Does this only affect WordPress sites where the shortcode [ld_reset_password] is embedded somewhere on the website?

    • Hi Oscar.

      Yes, the vulnerability requires the [ld_reset_password] shortcode or the ld-reset-password Gutenberg block to be embedded on the website. The Gutenberg block loads the [ld_reset_password] shortcode, so it’s essentially the same.

      If the reset password page is selected in the plugin settings, the plugin will automatically add the ld-reset-password block to that page, making this exploitable.

      It’s worth mentioning that there are ways to list the pages, so if there is a reset password page somewhere on the website, attackers will likely be able to find it.

      • Alright, thanks for your reply!