WordPress Plugin Vulnerabilities

Academy LMS < 1.9.17 - Missing Authorization

Description

The Academy LMS plugin for WordPress is vulnerable to unauthorized access due to insufficient validation on the enroll_course() function in versions up to, and including, 1.9.16. This makes it possible for authenticated attackers, with subscriber-level access and above, to enroll in paid courses for free.

Affects Plugins

Plugin icon
academy
Fixed in 1.9.17

References

CVE
CVE-2024-32714
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ceb08ca9-e512-4a97-b323-cd9447b8bcac

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Mochamad Sofyan
Verified
No
WPVDB ID
3645d78a-ae50-460a-bd6f-535e7cdbee92

Timeline

Publicly Published
2024-04-22 (about 2 years ago)
Added
2024-04-29 (about 2 years ago)
Last Updated
2024-04-29 (about 2 years ago)

Other

Published
Title
Published
2022-01-17
Title
PPOM for WooCommerce < 24.0 - Subscriber+ Settings Update to Stored XSS
Published
2024-06-06
Title
WooCommerce Tools < 1.2.10 - Missing Authorization to Authenticated (Subscriber+) Plugin Module Deactivation
Published
2025-03-04
Title
WP Online Contract <= 5.1.4 - Missing Authorization to Unauthenticated Settings Import
Published
2024-07-11
Title
Wholesale Suite < 2.2.0 - Missing Authorization
Published
2023-09-05
Title
Starter Templates <= 3.2.5 - Incorrect Authorization