Privilege Escalation Vulnerability in LearnDash Plugin Affects Admin Account Security
CVE-2024-8349

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Uncanny Groups For Learndash
Vendor: CVE Published:; 25 September 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Uncanny Groups for LearnDash plugin for WordPress contains a vulnerability that enables privilege escalation, allowing authenticated attackers with group leader-level access to edit user permissions improperly. This vulnerability results from the plugin failing to sufficiently restrict the user editing capabilities for group leaders. Consequently, attackers may exploit this weakness to alter email addresses associated with admin accounts, potentially granting them unauthorized access to these accounts and compromising the security of the WordPress site.

Affected Version(s)

Uncanny Groups for LearnDash * <= 6.1.0.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-8349-and-CVE-2024-8350
Created by karlemilnikka

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://github.com/karlemilnikka/CVE-2024-8349-and-CVE-20...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 25, 2024
🟡
Public PoC available
Sep 17, 2024
👾
Exploit known to exist
Sep 17, 2024
Vulnerability Reserved
Aug 30, 2024

Credit

Karl Emil Nikka