LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course , CVE-2024-10008

CVE, Research URL: CVE-2024-10008
Home page URL: Security reports for LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course
Application: LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course
Published on: Oct 29, 2024
Research Description: The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to unauthorized user profile modification due to missing authorization checks on the /wp-json/masteriyo/v1/users/$id REST API endpoint in all versions up to, and including, 1.13.3. This makes it possible for authenticated attackers, with student-level access and above, to modify the roles of arbitrary users. As a result, attackers can escalate their privileges to the Administrator and demote existing administrators to students.
Affected versions: max 1.13.4.
Status: vulnerable

LMS by Masteriyo &#8211; WordPress Learning Management System, eLearning Platform, Online Education System &amp; Online Course , CVE-2024-10008