WordPress Plugin Vulnerabilities

MasterStudy LMS WordPress Plugin – for Online Courses and Education < 3.3.9 - Missing Authorization

Description

The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on several functions in versions up to, and including, 3.3.8. This makes it possible for authenticated attackers, with subscriber level permissions and above, to read and modify content such as course questions, post titles, and taxonomies.

Affects Plugins

Plugin icon
masterstudy-lms-learning-management-system
Fixed in 3.3.9

References

CVE
CVE-2024-3942
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/64eb3d67-7056-4a03-ba3b-a04c2e96648d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
38aace01-0c1d-4fab-92c2-1b2d2e248e06

Timeline

Publicly Published
2024-04-29 (about 2 years ago)
Added
2024-04-29 (about 2 years ago)
Last Updated
2024-04-29 (about 2 years ago)

Other

Published
Title
Published
2025-09-01
Title
Miraculous < 2.0.9 - Missing Authorization to Unauthenticated Arbitrary Content Deletion
Published
2025-02-12
Title
Read More & Accordion < 3.4.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary 'Read More' Post Deletion
Published
2025-04-04
Title
TableOn – WordPress Posts Table Filterable <= 1.0.4 - Missing Authorization
Published
2025-09-10
Title
Ultimate Classified Listings <= 1.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
Published
2025-10-11
Title
Togo – Travel & Tour Booking WordPress Theme theme < 1.0.4 - Missing Authorization