LearnDash issued the following email notification to all customers last night:
Dear valued customers,
We're reaching out to let you know that a security vulnerability was discovered in LearnDash, and a patch has been deployed to address it.This patch applies to all versions of LearnDash since 4.4.0. We recommend updating to LearnDash 4.6.0.1 as soon as possible to protect your website.If exploited, this vulnerability could allow any existing user to update passwords for other users. This process can be started if a website owner uses the [ld_reset_password] shortcode/block.As soon as we discovered this vulnerability, our team addressed it by implementing enhanced security measures around the reset password shortcode to ensure your website remains secure.If you have any questions about this issue, please get in touch with our support team. We’re here to assist in any way we can.Thank you for your attention to this matter.
Despite the severity of the tone, it appears that the vulnerability only applies to sites using the [ld_reset_password] shortcode which many of my own client sites have no user for. So whether you feel you need to rush into updating LearnDash based on this information can be carefully considered.
WordFence have just released a bit more information about what the vulnerability was:
Props to the LearnDash Devs for fixing this so quickly.
I was speaking to @chrisdiscoverelearninguk-com about this and the main frustration we had is that the vulnerability is nothing to do with LearnDash's main purpose (as an LMS). WordPress has its own, perfectly capable (and secure) password reset functionality, so having to patch sites because LearnDash decided to create their own is a bit of a pain.
Also interesting to note that WordFence estimate that LearnDash is used on over 100,000 sites!
Wow @mark that's an incredible number! It goes to show the breadth of activity taking place with WordPress use for education and training! 🤯