CVE-2026-3079
Description
The LearnDash LMS plugin for WordPress is vulnerable to blind time-based SQL Injection via the 'filters[orderby_order]' parameter in the 'learndash_propanel_template' AJAX action in all versions up to, and including, 5.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A blind time-based SQL injection in LearnDash LMS <=5.0.3 allows authenticated Contributors+ to extract sensitive data via the 'filters[orderby_order]' parameter.
Root
Cause The LearnDash LMS WordPress plugin versions up to and including 5.0.3 are vulnerable to blind time-based SQL injection. The vulnerability exists in the learndash_propanel_template AJAX action, specifically through the filters[orderby_order] parameter. The core issue is insufficient escaping of user-supplied input combined with inadequate preparation of the existing SQL query [1][2].
Exploitation
An authenticated attacker with at least Contributor-level access can exploit this flaw by sending a crafted AJAX request. No additional privileges are required beyond a standard Contributor account. The attacker does not need direct database access; they inject malicious SQL code into the orderby_order parameter, which then gets appended to legitimate queries executed by the ProPanel module. The attack is blind time-based, meaning the attacker infers information by observing response timing differences [1][2].
Impact
A successful exploitation allows the attacker to extract any sensitive information stored in the WordPress database. This could include user credentials, personal data, payment details, or other confidential records managed by the site. Because the injection is blind and time-based, data extraction is slow but thorough. The vulnerability does not directly allow remote code execution or file modification, but the potential for data exfiltration represents a serious privacy and security risk [1][2].
Mitigation
The vendor has released a security update addressing this issue. While the specific patched version is not listed in the changelog provided, the advisory notes that LearnDash LMS 5.1.0 is now the minimum supported version for the ProPanel 3.1.05 release [2]. Administrators should update the LearnDash LMS plugin to the latest available version immediately. There are no known workarounds; applying the patched release is the only reliable mitigation.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- www.learndash.comnvd
- plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/ld-reports.phpnvd
- plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/reports/includes/class-ld-propanel-activity.phpnvd
- plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/reports/includes/class-ld-propanel-base-widget.phpnvd
- plugins.trac.wordpress.org/browser/sfwd-lms/trunk/includes/reports/includes/gutenberg/lib/enqueue-scripts.phpnvd
- www.learndash.com/changelog/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/29a560fa-03bf-435c-85da-68397deab2a6nvd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026)Wordfence Blog · Apr 2, 2026