WordPress Plugin Vulnerabilities

Masteriyo - LMS < 1.11.5 - Missing Authorization

Description

The Masteriyo - LMS plugin for WordPress is vulnerable to unauthorized access of dat due to a missing capability check on several REST API endpoints in versions up to, and including, 1.11.4. This makes it possible for unauthenticated attackers to view password protected content.

Affects Plugins

Plugin icon
learning-management-system
Fixed in 1.11.5

References

CVE
CVE-2024-43158
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/90f62ee2-f2a8-49e6-ba7a-8c408c66c456

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Ananda Dhakal
Verified
No
WPVDB ID
6aed1329-ad39-4b42-8f52-721cfb55e1f2

Timeline

Publicly Published
2024-08-07 (about 1 year ago)
Added
2024-08-14 (about 1 year ago)
Last Updated
2024-08-14 (about 1 year ago)

Other

Published
Title
Published
2025-06-19
Title
Contact Form 7 AWeber Extension < 0.1.43 - Missing Authorization
Published
2026-03-19
Title
Aimogen Pro < 2.7.6 - Unauthenticated Privilege Escalation via Arbitrary Function Call
Published
2024-04-25
Title
Secure Copy Content Protection and Content Locking < 3.9.1 - Missing Authorization
Published
2025-04-10
Title
Industrial Lite <= 1.0.8 - Missing Authorization
Published
2024-11-25
Title
Hustle – Email Marketing, Lead Generation, Optins, Popups < 7.8.6 - Missing Authorization to Unpublished Form Exposure