Attack Vectors

CVE-2026-3079 is a Medium-severity vulnerability (CVSS 6.5) affecting the LearnDash LMS WordPress plugin (sfwd-lms) in versions up to and including 5.0.3. The issue can be exploited by an authenticated user with Contributor-level access or higher.

The attack path involves an AJAX request using the learndash_propanel_template action, where the attacker supplies a malicious value in the filters[orderby_order] parameter. Because the vulnerability is blind time-based SQL injection, an attacker may not see direct database output on-screen, but can still infer and extract sensitive data by observing response timing.

From a business perspective, the most realistic entry points include:

• A compromised Contributor (or higher) account via reused passwords, phishing, or credential stuffing.
• Overly broad user roles granted to contractors, content partners, or internal staff.
• Sites that allow user registration and assign Contributor (or higher) privileges.

Security Weakness

LearnDash LMS is vulnerable due to insufficient escaping of user-supplied input and a lack of sufficient SQL query preparation for the filters[orderby_order] parameter used in the learndash_propanel_template AJAX action. This weakness can allow an authenticated attacker to append additional SQL into an existing query.

While authentication is required (reducing exposure versus fully public attacks), this remains a meaningful risk because Contributor-level accounts are common in marketing workflows (content publishing, landing page updates, campaign support) and are frequently targeted.

Remediation: Update LearnDash LMS to version 5.0.3.1 or a newer patched version. Reference: Wordfence vulnerability advisory. CVE record: CVE-2026-3079.

Technical or Business Impacts

This vulnerability can enable database data exposure. The published CVSS vector indicates a High impact to confidentiality (C:H), meaning sensitive information stored in the WordPress database may be at risk if an attacker gains (or already has) Contributor+ access.

Potential business impacts include:

• Data privacy and compliance exposure: Disclosure of personal data (user profiles, emails, course enrollment details, and other records stored in the database) can trigger regulatory obligations, contractual notifications, and reputational harm.
• Credential and account risk: If sensitive data is extracted, attackers may attempt lateral movement (using harvested information to target administrators, payment systems, or other SaaS tools).
• Brand and revenue impact: For organizations using LearnDash LMS for training, certification, or customer education, a data incident can reduce trust, increase churn, and disrupt lead-generation and customer enablement programs.
• Incident response cost: Even “Medium” vulnerabilities can become costly when they involve sensitive data access and require forensic review, legal/compliance review, and communications planning.

Risk is materially higher if your WordPress site integrates e-commerce, memberships, or marketing automation, because the database may contain additional customer and operational data beyond LMS records.

Similar Attacks

SQL injection has a long history of leading to significant data exposure when attackers can reach database queries with untrusted input. Examples:

• TalkTalk (2015) cyberattack (widely reported as involving SQL injection and resulting in large-scale customer data exposure and business disruption).
• Heartland Payment Systems (2008) data breach (commonly cited as stemming from SQL injection and leading to extensive payment card compromise and significant financial impact).