Local File Inclusion Vulnerability in MasterStudy LMS Plugin for WordPress
CVE-2024-3136

9.8CRITICAL

Key Information:

Vendor
Wordpress
Status
Masterstudy Lms WordPress Plugin – For Online Courses And Education
Vendor
CVE Published:
9 April 2024

Summary

The MasterStudy LMS plugin for WordPress is susceptible to Local File Inclusion due to a flaw in the 'template' parameter. This vulnerability allows unauthorized attackers to include and execute arbitrary files on the server, potentially leading to the execution of malicious PHP code. Such exploitation can bypass access controls, allow unauthorized access to sensitive information, and could enable the execution of unexpected code through file types that are generally considered safe for upload. All versions up to and including 3.3.3 are affected, highlighting the need for immediate action to secure these installations.

Affected Version(s)

MasterStudy LMS WordPress Plugin – for Online Courses and Education * <= 3.3.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3064337/mast...
https://plugins.trac.wordpress.org/changeset/3064337/mast...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hiroho Shimada
.