Plattform
wordpress
Komponente
academy
Behoben in
1.9.20
CVE-2024-1505 is a privilege escalation vulnerability discovered in the Academy LMS plugin for WordPress. This flaw allows authenticated attackers, even those with minimal permissions like student accounts, to escalate their user role to administrator. The vulnerability impacts versions of the plugin up to and including 1.9.19. A patch is available to address this issue.
The impact of CVE-2024-1505 is significant. Successful exploitation allows an attacker to gain full administrative access to the WordPress site. This can lead to unauthorized modification of content, installation of malicious plugins or themes, data theft, and complete compromise of the website. The attacker could potentially deface the site, inject malware, or use it as a launchpad for further attacks against other systems on the network. The ease of exploitation, requiring only an authenticated user account, increases the likelihood of successful attacks.
CVE-2024-1505 was publicly disclosed on March 13, 2024. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the plugin's popularity suggest a potential for widespread attacks. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of exploitation.
WordPress sites utilizing the Academy LMS plugin, particularly those with student accounts or other low-privilege users, are at risk. Shared hosting environments where multiple WordPress installations share resources are also at increased risk, as a compromise of one site could potentially be leveraged to exploit this vulnerability on others.
• wordpress / composer / npm:
grep -r 'saved_user_info()' /var/www/html/wp-content/plugins/academy-lms/*• wordpress / composer / npm:
wp plugin list --status=all | grep academy-lms• wordpress / composer / npm:
wp plugin update academy-lms --alldisclosure
Exploit-Status
EPSS
0.18% (39% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-1505 is to upgrade the Academy LMS plugin to a version that includes the fix. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider restricting user roles and permissions to minimize the potential impact of a successful attack. Review user accounts and remove any unnecessary administrative privileges. Implement a Web Application Firewall (WAF) with rules to block attempts to manipulate user meta data. Monitor WordPress logs for suspicious activity related to user role changes.
Actualice el plugin Academy LMS a la última versión disponible. La vulnerabilidad que permite la escalada de privilegios ha sido corregida en versiones posteriores a la 1.9.19. Esto evitará que usuarios no autorizados obtengan acceso de administrador.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-1505 is a vulnerability allowing authenticated users with limited permissions to escalate to administrator roles within the Academy LMS WordPress plugin, impacting versions up to 1.9.19.
If you are using Academy LMS for WordPress version 1.9.19 or earlier, you are potentially affected by this privilege escalation vulnerability.
Upgrade the Academy LMS plugin to the latest available version, which includes the necessary fix to prevent unauthorized privilege escalation. Check the plugin repository for updates.
As of the current date, there are no confirmed reports of active exploitation of CVE-2024-1505, but proactive patching is still highly recommended.
Refer to the official Academy LMS plugin repository or website for the latest security advisory and update information regarding CVE-2024-1505.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.