The Ays Pro Fox LMS plugin contains a high-severity Blind SQL Injection vulnerability that enables attackers to silently extract sensitive information from the WordPress database.

This vulnerability is a Blind SQL Injection flaw caused by improper neutralization of user-supplied input in SQL commands. An attacker can use time-based or boolean-based techniques to infer the contents of the database, even without direct error messages.

With a CVSS score of 8.5, this vulnerability poses a significant threat to the confidentiality of student and course data. Attackers could steal user hashes, personal details, and administrative credentials, leading to a full site takeover and long-term data exfiltration.

Immediate Action: Apply the latest security update for the Ays Pro Fox LMS plugin immediately to close the SQL Injection vector.

Proactive Monitoring: Monitor for unusually slow database response times, which can be a symptom of time-based Blind SQL Injection attempts.

Compensating Controls: Utilize database-level security controls and a WAF to detect and drop suspicious requests containing SQL keywords or logical operators.

Public Exploit Available: false

Given the high severity, immediate patching is mandatory. Organizations using Fox LMS must update the plugin to the latest version to prevent unauthorized data access and protect the privacy of their learning management system.