Masteriyo – LMS < 1.7.3 – Unauthenticated Privilege Escalation | CVE 2024-24882 | Plugin Vulnerabilities

Description

The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_logged_in_user() function in all versions up to, and including, 1.7.2. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.

Affects Plugins

learning-management-system

Fixed in 1.7.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8cf1276b-401d-4166-940e-e5d60f85e762

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Steven Julian

Verified

No

WPVDB ID

8407f428-12e7-4549-aa65-a241b7bdca41

Timeline

Publicly Published

2024-04-05 (about 1 year ago)

Added

2024-04-11 (about 1 year ago)

Last Updated

2024-04-11 (about 1 year ago)

Other

Published

Title

Published

2025-04-22

Title

Appointment Booking Calendar < 1.3.93 - Missing Authorization

Published

2024-08-07

Title

Masteriyo - LMS < 1.11.5 - Missing Authorization

Published

2023-07-17

Title

ProfileGrid < 5.5.2 - Subscriber+ Unauthorized Data Modification

Published

2025-10-12

Title

MasterStudy LMS Pro < 4.7.16 - Missing Authorization to Unauthenticated Arbitrary Content Deletion

Published

2025-01-16

Title

Realty Workstation <= 1.0.45 - Missing Authorization