cbcvebase.
CVE-2022-0441
published 2022-03-07

CVE-2022-0441: The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
85.33%
99.7th percentile
The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin

Affected

1 ranges
VendorProductVersion rangeFixed in
stylemixthemesmasterstudy_lms< 2.7.62.7.6

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=stm_lms_register&nonce={{nonce}}
command{"user_login":"USERNAME","user_email":"EMAIL@TLD","user_password":"PASSWORD","user_password_re":"PASSWORD","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}
yara
regex: '"stm_lms_register":"([0-9a-z]+)"'
  • Look for POST requests to /wp-admin/admin-ajax.php with action=stm_lms_register containing a JSON body with 'profile_default_fields_for_register' key including 'wp_capabilities' set to administrator:1 — this is the privilege escalation payload.
  • Detect the specific JSON key path 'profile_default_fields_for_register.wp_capabilities.value.administrator' with value 1 in POST body to admin-ajax.php as the indicator of exploitation attempt.
  • A successful exploitation response contains both 'Registration completed successfully' and '"status":"success"' in the HTTP response body with Content-Type application/json.
  • The nonce value required for the attack is extracted from the page source via the pattern '"stm_lms_register":"([0-9a-z]+)"' — monitor for reconnaissance GET requests followed immediately by the malicious POST.
  • The attack is unauthenticated; no session cookie or prior login is required. Any POST to admin-ajax.php?action=stm_lms_register from an unauthenticated source should be treated as suspicious.
  • ·The nonce value in the exploit URL is dynamic and must be harvested from the target page before the attack POST; it is not a static IOC.
  • ·Vulnerability only affects MasterStudy LMS plugin versions strictly before 2.7.6; version 2.7.6 and above are patched.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.