Platform
wordpress
Component
masterstudy-lms-learning-management-system
Fixed in
3.2.6
CVE-2024-1512 describes a critical SQL Injection vulnerability affecting the MasterStudy LMS WordPress plugin, a popular tool for creating and managing online courses. This vulnerability allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions of the plugin up to and including 3.2.5. A patch is available; users are strongly advised to upgrade immediately.
The SQL Injection vulnerability in MasterStudy LMS allows attackers to craft malicious SQL queries through the 'user' parameter of the /lms/stm-lms/order/items REST endpoint. Successful exploitation can lead to the extraction of sensitive information stored within the WordPress database. This includes user credentials, course content, payment details, and other confidential data. The lack of authentication requirements means that any attacker can attempt to exploit this vulnerability. A successful attack could result in significant data breaches, reputational damage, and potential legal repercussions for website owners.
CVE-2024-1512 was publicly disclosed on February 17, 2024. While no active exploitation campaigns have been definitively confirmed, the vulnerability's CRITICAL severity and ease of exploitation make it a high-priority target. The lack of authentication required significantly increases the attack surface. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Exploit Status
EPSS
93.56% (100% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-1512 is to upgrade the MasterStudy LMS plugin to a version that includes the security fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter requests to the /lms/stm-lms/order/items endpoint, specifically targeting suspicious SQL injection patterns in the 'user' parameter. Additionally, carefully review and sanitize all user inputs within the plugin's code to prevent future SQL injection vulnerabilities. After upgrading, verify the fix by attempting a SQL injection payload via the affected endpoint and confirming that it is properly sanitized.
Update the MasterStudy LMS WordPress Plugin to the latest available version. Version 3.2.6 or higher fixes this SQL Injection (SQL Injection) vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-1512 is a critical SQL Injection vulnerability in the MasterStudy LMS WordPress plugin affecting versions up to 3.2.5, allowing attackers to extract sensitive data.
You are affected if you are using MasterStudy LMS plugin versions 3.2.5 or earlier. Check your plugin version and upgrade immediately.
Upgrade the MasterStudy LMS plugin to the latest available version that includes the security fix. Consider a WAF as a temporary mitigation.
While no confirmed active exploitation is public, the vulnerability's severity and ease of exploitation make it a high-priority target. Monitoring is crucial.
Refer to the MasterStudy LMS plugin website and WordPress plugin directory for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.