WordPress Plugin Vulnerabilities

Academy LMS < 1.9.17 - Missing Authorization

Description

The Academy LMS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on afunction in versions up to, and including, 1.9.16. This makes it possible for authenticated attackers, with student-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
academy
Fixed in 1.9.17

References

CVE
CVE-2024-33912
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/248750b0-0fed-4c31-aeeb-709da3e7e2a1

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Steven Julian
Verified
No
WPVDB ID
61abd4e2-64af-4911-9c18-01a8bece9fd3

Timeline

Publicly Published
2024-04-29 (about 2 years ago)
Added
2024-05-07 (about 2 years ago)
Last Updated
2024-05-07 (about 2 years ago)

Other

Published
Title
Published
2023-11-14
Title
Essential Grid < 3.0.19 - Missing Authorization
Published
2024-07-16
Title
Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin < 5.7.27 - Missing Authorization
Published
2026-03-26
Title
SureCart < 4.0.3 - Missing Authorization
Published
2026-02-15
Title
WPLifeCycle < 4.0 - Missing Authorization
Published
2024-11-08
Title
Debug Tool <= 2.2 - Missing Authorization to Information Exposure