Add LearnPress SQLi module (CVE-2024-8522, CVE-2024-8529)

[Chocapikk]

Hello Metasploit Team,

I am submitting a new auxiliary module that exploits two unauthenticated SQL injection vulnerabilities in the LearnPress WordPress LMS Plugin (version <= 4.2.7). These vulnerabilities allow attackers to perform blind SQL injection via the c_only_fields and c_fields parameters.

Summary of changes:

• Module location: auxiliary/scanner/http/wp_learnpress_c_fields_sqli
• Vulnerabilities targeted:
  • CVE-2024-8522: SQL injection via the c_only_fields parameter.
  • CVE-2024-8529: SQL injection via the c_fields parameter.
• Docker environment: Instructions are included for setting up a vulnerable WordPress instance with LearnPress using Docker. This setup allows for easy testing of the exploit.
• Metasploit module: The module allows users to select between the two vulnerabilities (c_only_fields for CVE-2024-8522 and c_fields for CVE-2024-8529) and includes options such as specifying the number of rows to retrieve (COUNT).

Usage and Verification:

The module has been tested using a Docker environment running WordPress with LearnPress 4.2.7 installed. The setup instructions and verification steps are outlined in the documentation file.

Let me know if you need any further changes or if there are any issues during the review.