CVE-2024-3136
published 2024-04-09CVE-2024-3136: The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. This…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.02%
91.2th percentile
The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| stylemix | masterstudy_lms_wordpress_plugin_for_online_courses_and_education | <= 3.3.3 | — |
| stylemixthemes | masterstudy_lms | < 3.3.4 | 3.3.4 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php?template=../../../../../../../../usr/local/lib/php/pearcmd&+config-create↗
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the 'template' parameter containing directory traversal sequences (e.g., '../') targeting pearcmd or other PHP files. ↗
- →Look for POST body containing 'action=stm_lms_load_content' combined with a nonce value, as this is the AJAX action abused for unauthenticated LFI. ↗
- →A successful probe response will contain the string 'config-create: must have 2 parameters' in the response body with HTTP 200, indicating pearcmd LFI exploitation. ↗
- →Presence of the plugin directory path in HTTP responses or requests can be used to fingerprint vulnerable installations. ↗
- →The nonce value for the AJAX action can be extracted from the page body using the regex pattern '"load_content":"(\w+?)"', which attackers use to obtain a valid nonce before exploitation. ↗
- ·The LFI is exploitable by unauthenticated attackers; no authentication or privilege is required, making it trivially exploitable at scale. ↗
- ·The vulnerability affects all versions up to and including 3.3.3; the fix was introduced in 3.3.4. Detection rules should account for version-based filtering. ↗
- ·The pearcmd-based exploitation chain (used in the Nuclei template) requires pearcmd.php to be present on the server; the actual LFI vector can target any file accessible to the web server process. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
MasterStudy LMS <= 3.3.3 - Unauthenticated Local File Inclusion via template
nuclei·CVSS 9.8
CVE-2024-3136 [CRITICAL] MasterStudy LMS <= 3.3.3 - Unauthenticated Local File Inclusion via template
MasterStudy LMS <= 3.3.3 - Unauthenticated Local File Inclusion via template
The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.
Template:
id: CVE-2024-3136
info:
name: MasterStudy LMS <= 3.3.3 - Unauthenticated Local File Inclusion via template
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: The MasterStudy LMS plugin for WordPress i
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/3064337/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/helpers.phphttps://plugins.trac.wordpress.org/changeset/3064337/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/templates.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/9a573740-cdfe-4b58-b33b-5e50bcbc4779?source=cvehttps://plugins.trac.wordpress.org/changeset/3064337/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/helpers.phphttps://plugins.trac.wordpress.org/changeset/3064337/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/templates.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/9a573740-cdfe-4b58-b33b-5e50bcbc4779?source=cve
2024-04-09
Published