CVE-2024-33939
published 2025-05-19CVE-2024-33939: Authentication Bypass Using an Alternate Path or Channel vulnerability in masteriyo Masteriyo - LMS learning-management-system.This issue affects Masteriyo -…
PriorityP180medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.84%
53.3th percentile
Authentication Bypass Using an Alternate Path or Channel vulnerability in masteriyo Masteriyo - LMS learning-management-system.This issue affects Masteriyo - LMS: from n/a through <= 1.7.3.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| masteriyo | masteriyo_lms | <= 1.7.3 | — |
| themegrill | masteriyo | < 1.7.4 | 1.7.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated GET requests to /wp-json/masteriyo/v1/course-progress with a user_id parameter returning HTTP 200 with JSON body containing 'course_id', 'course_permalink', and 'status' fields indicate successful IDOR exploitation. ↗
- →Monitor for unauthenticated requests to the Masteriyo REST API endpoint iterating over numeric user_id values (1–10+) in a clusterbomb/enumeration pattern. ↗
- →Presence of the plugin path /wp-content/plugins/learning-management-system/ in HTTP responses can be used to fingerprint vulnerable Masteriyo LMS installations for targeting. ↗
- ·The vulnerability affects Masteriyo LMS versions n/a through 1.7.3 only; versions above 1.7.3 are not affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vfx3-xjmh-f34c: Authentication Bypass Using an Alternate Path or Channel vulnerability in Masteriyo Masteriyo - LMS
ghsa_unreviewed·2025-05-19
CVE-2024-33939 [MEDIUM] CWE-288 GHSA-vfx3-xjmh-f34c: Authentication Bypass Using an Alternate Path or Channel vulnerability in Masteriyo Masteriyo - LMS
Authentication Bypass Using an Alternate Path or Channel vulnerability in Masteriyo Masteriyo - LMS. Unauth access to course progress.This issue affects Masteriyo - LMS: from n/a through 1.7.3.
VulnCheck
Masteriyo LMS Plugin Authentication Bypass
vulncheck·2024
CVE-2024-33939 Masteriyo LMS Plugin Authentication Bypass
Masteriyo LMS Plugin Authentication Bypass
The Masteriyo LMS Plugin for WordPress is vulnerable to an insecure direct object reference that could allow unauthenticated adversaries to view other users course progress. Versions up to and including 1.7.3 are vulnerable via the REST API.
Affected: Masteriyo Masteriyo LMS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/learning-management-system/vulnerability/wordpress-lms-by-masteriyo-plugin-1-7-3-broken-authentication-vulnerability; https://www.cve.org/CVERecord?id=CVE-2024-33939
No detection rules found.
Nuclei
Masteriyo LMS <= 1.7.3 - Insecure Direct Object Reference
nuclei·CVSS 5.3
CVE-2024-33939 Masteriyo LMS <= 1.7.3 - Insecure Direct Object Reference
Masteriyo LMS <= 1.7.3 - Insecure Direct Object Reference
Authentication Bypass Using an Alternate Path or Channel vulnerability in Masteriyo Masteriyo - LMS. Unauth access to course progress.This issue affects Masteriyo - LMS: from n/a through 1.7.3.
Template:
id: CVE-2024-33939
info:
name: Masteriyo LMS <= 1.7.3 - Insecure Direct Object Reference
author: Sourabh-Sahu
severity: medium
description: |
Authentication Bypass Using an Alternate Path or Channel vulnerability in Masteriyo Masteriyo - LMS. Unauth access to course progress.This issue affects Masteriyo - LMS: from n/a through 1.7.3.
impact: |
An unauthenticated attacker can access course progress and user learning data without logging in.
remediation: |
Update the Masteriyo LMS plugin to the latest version and enforce proper au
No writeups or analysis indexed.
2025-05-19
Published
Exploited in the wild