cbcvebase.
CVE-2024-24882
published 2024-05-17

CVE-2024-24882: Incorrect Privilege Assignment vulnerability in masteriyo Masteriyo - LMS learning-management-system.This issue affects Masteriyo - LMS: from n/a through <=…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.11%
79.5th percentile
Incorrect Privilege Assignment vulnerability in masteriyo Masteriyo - LMS learning-management-system.This issue affects Masteriyo - LMS: from n/a through <= 1.7.2.

Affected

2 ranges
VendorProductVersion rangeFixed in
masteriyomasteriyo_lms<= 1.7.2
themegrillmasteriyo< 1.7.31.7.3

Detection & IOCsextracted from sources · hover to see the quote

url/account/signup/
url/wp-json/masteriyo/v1/users/me/?_locale=user
command{"first_name":"{{uname}}","last_name":"{{uname}}","email":"{{uname}}@gmail.com","role":"administrator","billing":{"state":"No state found"}}
other"roles":["administrator"]
  • Exploit registers a new user via /account/signup/ then sends a POST to /wp-json/masteriyo/v1/users/me/ with role=administrator to escalate privileges; detect unauthenticated or low-privilege REST API calls to this endpoint containing the 'role' field set to 'administrator'.
  • A successful exploitation returns HTTP 200 with Content-Type application/json and a body containing '"roles":["administrator"]'; monitor REST API responses for unexpected privilege escalation to administrator role.
  • The exploit uses the X-WP-Nonce header extracted from /account/ page to authenticate the privilege-escalation REST API request; monitor for REST API calls to masteriyo/v1/users/me with X-WP-Nonce from newly registered accounts.
  • The registration step uses the hidden field masteriyo-registration=yes; monitor POST requests to /account/signup/ containing this parameter as a precursor to the privilege escalation attempt.
  • ·Vulnerability affects Masteriyo LMS plugin versions up to and including 1.7.2; ensure patched versions are not flagged.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.