On June 5, 2023, the Wordfence Threat Intelligence team identified, and began the responsible disclosure process, for an Arbitrary User Password Change vulnerability in LearnDash LMS plugin, a WordPress plugin that is actively installed on more than 100,000 WordPress websites according to our estimates. This vulnerability makes it possible for any user with an existing account to reset arbitrary user passwords, including user accounts with administrative-level access.
Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on June 5, 2023. Sites still using the free version of Wordfence received the same protection on July 5, 2023.
Wordfence contacted the LearnDash team on June 5, 2023, and received a response the same day. After providing full disclosure details, the developer released a patch on June 6, 2023. We would like to commend the LearnDash support and development team for their prompt response and timely patch, which was released in just one day.
We urge users to update their sites with the latest patched version of LearnDash LMS, version 126.96.36.199 at the time of this writing, as soon as possible considering this is a vulnerability with a critical impact.