Unauthorized Access and Data Modification in MasterStudy LMS Plugin for WordPress
CVE-2024-3942

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Masterstudy Lms WordPress Plugin – For Online Courses And Education
Vendor: CVE Published:; 2 May 2024

Summary

The MasterStudy LMS WordPress Plugin for Online Courses is susceptible to unauthorized access and data manipulation due to a lack of necessary capability checks on various functions. This vulnerability affects all versions up to and including 3.3.8 and enables authenticated users with subscriber-level permissions to read and alter sensitive content, including course material, post titles, and taxonomy settings. This significant security gap highlights the need for vigilance and timely updates to maintain the integrity of educational platforms relying on this plugin.

Affected Version(s)

MasterStudy LMS WordPress Plugin – for Online Courses and Education * <= 3.3.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3078394/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Apr 17, 2024

Credit

Lucio Sá