{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3079", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-23T21:17:19.700Z", "datePublished": "2026-03-24T01:25:21.251Z", "dateUpdated": "2026-04-08T16:43:20.936Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:20.936Z"}, "affected": [{"vendor": "StellarWP", "product": "LearnDash LMS", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LearnDash LMS plugin for WordPress is vulnerable to blind time-based SQL Injection via the 'filters[orderby_order]' parameter in the 'learndash_propanel_template' AJAX action in all versions up to, and including, 5.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "title": "LearnDash LMS <= 5.0.3 - Authenticated (Contributor+) SQL Injection via 'filters[orderby_order]' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29a560fa-03bf-435c-85da-68397deab2a6?source=cve"}, {"url": "http://www.learndash.com/"}, {"url": "https://plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/ld-reports.php#L1233"}, {"url": "https://plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/reports/includes/class-ld-propanel-base-widget.php#L149"}, {"url": "https://plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/reports/includes/class-ld-propanel-activity.php#L338"}, {"url": "https://plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/reports/includes/gutenberg/lib/enqueue-scripts.php#L51"}, {"url": "https://www.learndash.com/changelog/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-03-10T16:30:07.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-23T12:12:23.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:55:07.720783Z", "id": "CVE-2026-3079", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:56:05.746Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3079", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T13:55:07.720783Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:55:56.669Z"}}], "cna": {"title": "LearnDash LMS <= 5.0.3 - Authenticated (Contributor+) SQL Injection via 'filters[orderby_order]' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "StellarWP", "product": "LearnDash LMS", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-10T16:30:07.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-23T12:12:23.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29a560fa-03bf-435c-85da-68397deab2a6?source=cve"}, {"url": "http://www.learndash.com/"}, {"url": "https://plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/ld-reports.php#L1233"}, {"url": "https://plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/reports/includes/class-ld-propanel-base-widget.php#L149"}, {"url": "https://plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/reports/includes/class-ld-propanel-activity.php#L338"}, {"url": "https://plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/reports/includes/gutenberg/lib/enqueue-scripts.php#L51"}, {"url": "https://www.learndash.com/changelog/"}], "descriptions": [{"lang": "en", "value": "The LearnDash LMS plugin for WordPress is vulnerable to blind time-based SQL Injection via the 'filters[orderby_order]' parameter in the 'learndash_propanel_template' AJAX action in all versions up to, and including, 5.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:20.936Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3079", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:43:20.936Z", "dateReserved": "2026-02-23T21:17:19.700Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-24T01:25:21.251Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LearnDash LMS plugin for WordPress is vulnerable to blind time-based SQL Injection via the 'filters[orderby_order]' parameter in the 'learndash_propanel_template' AJAX action in all versions up to, and including, 5.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}, {"lang": "es", "value": "El plugin LearnDash LMS para WordPress es vulnerable a inyecci\u00f3n SQL ciega basada en tiempo a trav\u00e9s del par\u00e1metro 'filters[orderby_order]' en la acci\u00f3n AJAX 'learndash_propanel_template' en todas las versiones hasta la 5.0.3, inclusive. Esto se debe a un escape insuficiente en el par\u00e1metro proporcionado por el usuario y a la falta de preparaci\u00f3n suficiente en la consulta SQL existente. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, a\u00f1adan consultas SQL adicionales a consultas ya existentes que pueden usarse para extraer informaci\u00f3n sensible de la base de datos."}], "id": "CVE-2026-3079", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-24T02:16:05.633", "references": [{"source": "security@wordfence.com", "url": "http://www.learndash.com/"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/ld-reports.php#L1233"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/reports/includes/class-ld-propanel-activity.php#L338"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/reports/includes/class-ld-propanel-base-widget.php#L149"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/reports/includes/gutenberg/lib/enqueue-scripts.php#L51"}, {"source": "security@wordfence.com", "url": "https://www.learndash.com/changelog/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29a560fa-03bf-435c-85da-68397deab2a6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "LearnDash LMS", "source": "cna", "vendor": "StellarWP"}, "product": "learndash_lms", "vendor": "stellarwp"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-24T03:36:39.309334+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest LearnDash LMS version (greater than 5.0.3) to patch the vulnerable code", "If an immediate upgrade is not possible, restrict Contributor\u2011level access or remove the vulnerable AJAX endpoint until a patch is applied", "Audit your WordPress installation for unauthorized or unexpected database activity and review logs for signs of injection attempts", "Maintain regular backups of both the database and the website files to ensure quick restoration if data integrity is compromised", "Keep all WordPress plugins, themes, and core up to date to reduce the overall attack surface"], "summary": {"action": "Apply Patch", "impact": "Blind time-based SQL Injection enabling data exfiltration"}, "threat_synthesis": {"affected_systems": "Affected systems include all installations of StellarWP's LearnDash LMS plugin for WordPress with version numbers up to and including 5.0.3. No specific sub\u2011version details are listed beyond that threshold, so any site deploying LearnDash 5.0.3 or earlier remains vulnerable.", "description_and_impact": "The LearnDash LMS plugin for WordPress contains a blind time\u2011based SQL injection flaw in the 'learndash_propanel_template' AJAX action. The vulnerability is triggered through the 'filters[orderby_order]' parameter, which does not undergo proper escaping or SQL preparation. By injecting specially crafted SQL, a malicious actor can append additional queries to the original statement, potentially leaking sensitive information from the database. This flaw only affects users who can authenticate with at least Contributor\u2011level permissions.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.5, indicating moderate severity, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is not provided, but the requirement for authenticated users limits the scope of exploitation to site administrators who have granted Contributor or higher access. Nonetheless, once authenticated, an attacker can use the time\u2011based blind injection to gather data; the lack of a public exploit suggests exploitation may still require manual effort. Administrators should treat this as a moderate to high risk due to potential data exposure."}}}}, "created": "2026-03-24T10:29:27.135918+00:00", "updated": "2026-03-25T20:40:32.694670+00:00", "vendors": ["stellarwp", "stellarwp$PRODUCT$learndash_lms", "wordpress", "wordpress$PRODUCT$wordpress"]}