CVE-2024-56940
Published: 12 February 2025
Description
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Security Summary
CVE-2024-56940 affects the profile image upload function in LearnDash version 6.7.1, a WordPress learning management system plugin. The vulnerability enables attackers to trigger a Denial of Service (DoS) condition by performing excessive file uploads, leading to uncontrolled resource consumption as indicated by CWE-400. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high severity due to its potential for significant availability disruption.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By uploading excessive files to the profile image function, they can overwhelm server resources, causing the service to become unavailable and impacting legitimate users.
Details on mitigation, including any patches or workarounds, can be found in the referenced GitHub repository at https://github.com/nikolas-ch/CVEs/tree/main/LearnDash_v6.7.1, which documents the issue.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables denial of service via excessive file uploads to the profile image endpoint, exhausting application resources consistent with Application Exhaustion Flood.