MasterStudy LMS < 3.3.0 – Missing Authorization to Sensitive Information Exposure in search_posts | CVE 2024-1904 | Plugin Vulnerabilities

Description

The MasterStudy LMS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the search_posts function in all versions up to, and including, 3.2.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose draft post titles and excerpts.

Affects Plugins

masterstudy-lms-learning-management-system

Fixed in 3.3.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1be686d3-16b1-4ec7-b304-848ca4d7162c

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Verified

No

WPVDB ID

f12d58fa-582b-4993-b81e-3c87b775b22f

Timeline

Publicly Published

2024-03-15 (about 2 years ago)

Added

2024-03-15 (about 2 years ago)

Last Updated

2024-03-15 (about 2 years ago)

Other

Published

Title

Published

2025-04-03

Title

TextMe SMS < 1.9.2 - Missing Authorization

Published

2025-10-10

Title

Everest Backup < 2.3.6 - Missing Authorization to Unauthenticated Information Exposure

Published

2026-01-18

Title

Visual Link Preview < 2.3.0 - Missing Authorization

Published

2024-10-15

Title

WP VR < 8.5.5 - Missing Authorization

Published

2024-07-08

Title

XPlainer – WooCommerce Product FAQ [WooCommerce Accordion FAQ Plugin] < 1.7.1 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting