CVE-2024-56940

High

Published: 12 February 2025

Published

12 February 2025

Modified

13 March 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0014 34.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56940 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Learndash Learndash. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 34.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application Exhaustion Flood (T1499.003). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match

prevent

Directly protects against DoS attacks by limiting the effects of excessive file uploads that cause resource exhaustion.

SC-6 Resource Availability good match

prevent

Ensures resource availability by implementing controls to prevent unauthorized consumption from unauthenticated excessive profile image uploads.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on information inputs like file upload volume and rates to mitigate uncontrolled resource consumption in the profile image function.

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.

attack.mitre.org →

Why these techniques?

The vulnerability enables denial of service via excessive file uploads to the profile image endpoint, exhausting application resources consistent with Application Exhaustion Flood.

NVD Description

An issue in the profile image upload function of LearnDash v6.7.1 allows attackers to cause a Denial of Service (DoS) via excessive file uploads.

Deeper analysisAI

CVE-2024-56940 affects the profile image upload function in LearnDash version 6.7.1, a WordPress learning management system plugin. The vulnerability enables attackers to trigger a Denial of Service (DoS) condition by performing excessive file uploads, leading to uncontrolled resource consumption as indicated by CWE-400. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting high severity due to its potential for significant availability disruption.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By uploading excessive files to the profile image function, they can overwhelm server resources, causing the service to become unavailable and impacting legitimate users.

Details on mitigation, including any patches or workarounds, can be found in the referenced GitHub repository at https://github.com/nikolas-ch/CVEs/tree/main/LearnDash_v6.7.1, which documents the issue.