EUVD-2026-14691
GHSA-6wfv-pvq4-3jvg
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
The LearnDash LMS plugin for WordPress is vulnerable to blind time-based SQL Injection via the 'filters[orderby_order]' parameter in the 'learndash_propanel_template' AJAX action in all versions up to, and including, 5.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Analysis
The LearnDash LMS plugin for WordPress contains a blind time-based SQL injection vulnerability in the 'filters[orderby_order]' parameter of the 'learndash_propanel_template' AJAX action, affecting all versions up to and including 5.0.3. Authenticated attackers with Contributor-level access or higher can exploit insufficient input escaping and lack of prepared statements to extract sensitive database information through time-based SQL injection techniques. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running all and apply vendor patches as part of regular patch cycle. Validate input sanitization for user-controlled parameters.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today