Platform
wordpress
Component
academy
Fixed in
1.9.20
CVE-2024-1505 is a privilege escalation vulnerability discovered in the Academy LMS plugin for WordPress. This flaw allows authenticated attackers, even those with minimal permissions like student accounts, to escalate their user role to administrator. The vulnerability impacts versions of the plugin up to and including 1.9.19. A patch is available to address this issue.
The impact of this vulnerability is significant. An attacker who successfully exploits CVE-2024-1505 gains complete control over the WordPress site. This includes the ability to modify content, install malicious plugins, access sensitive user data, and potentially compromise the entire system. The ability to escalate from a low-privilege user account to administrator bypasses standard access controls, making it a particularly dangerous vulnerability. Successful exploitation could lead to data breaches, website defacement, and denial of service.
This vulnerability was publicly disclosed on March 13, 2024. Currently, there are no known public exploits or active campaigns targeting CVE-2024-1505. It is not listed on the CISA KEV catalog at the time of writing. The relatively recent disclosure and lack of public exploits suggest a low to medium probability of exploitation, but proactive patching is still strongly recommended.
Exploit Status
EPSS
0.18% (39% percentile)
CVSS Vector
The primary mitigation for CVE-2024-1505 is to upgrade the Academy LMS plugin to a version that includes the fix. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider restricting user meta update permissions for users with limited roles. While not a complete solution, this can reduce the attack surface. Review user roles and permissions to ensure least privilege is enforced. Monitor WordPress logs for suspicious activity related to user meta updates.
Actualice el plugin Academy LMS a la última versión disponible. La vulnerabilidad que permite la escalada de privilegios ha sido corregida en versiones posteriores a la 1.9.19. Esto evitará que usuarios no autorizados obtengan acceso de administrador.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-1505 is a vulnerability allowing authenticated users with limited permissions to escalate to administrator roles within the Academy LMS WordPress plugin, impacting versions up to 1.9.19.
If you are using Academy LMS for WordPress version 1.9.19 or earlier, you are potentially affected by this privilege escalation vulnerability.
Upgrade the Academy LMS plugin to the latest available version, which includes the necessary fix to prevent unauthorized privilege escalation. Check the plugin repository for updates.
As of the current date, there are no confirmed reports of active exploitation of CVE-2024-1505, but proactive patching is still highly recommended.
Refer to the official Academy LMS plugin repository or website for the latest security advisory and update information regarding CVE-2024-1505.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.