Platform
wordpress
Component
learning-management-system
Fixed in
1.7.3
CVE-2024-24882 describes an Improper Privilege Management vulnerability within the Masteriyo LMS plugin for WordPress. This flaw allows attackers to escalate privileges, potentially gaining complete control over the affected WordPress site. Versions of Masteriyo LMS prior to 1.7.3 are vulnerable, and a patch has been released in version 1.7.3.
The Privilege Escalation vulnerability in Masteriyo LMS allows an attacker to bypass intended access controls and perform actions they are not authorized to do. This could involve modifying user roles, accessing sensitive data, installing malicious plugins, or even taking complete control of the WordPress installation. The potential impact is severe, as a successful exploit could lead to data breaches, website defacement, and disruption of services. Given the plugin's function in managing learning content and user access, the compromise could expose student data and intellectual property.
CVE-2024-24882 was publicly disclosed on 2024-05-17. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability's criticality (CVSS 9.8) suggests a high probability of exploitation if a suitable exploit is developed and released. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
48.28% (98% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-24882 is to immediately upgrade Masteriyo LMS to version 1.7.3 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider restricting access to the LMS plugin's administrative interface to trusted users only. Implement strong password policies and multi-factor authentication for all WordPress administrator accounts. Regularly review user roles and permissions to ensure they align with the principle of least privilege. While a WAF cannot directly prevent this vulnerability, it can help detect and block suspicious activity related to privilege escalation attempts.
Update the LMS by Masteriyo plugin to the latest available version. The privilege escalation vulnerability has been fixed in versions later than 1.7.2. To update, go to the WordPress admin dashboard, 'Plugins' section, and search for 'LMS by Masteriyo' to update it.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-24882 is a critical vulnerability in Masteriyo LMS for WordPress that allows attackers to escalate privileges and gain unauthorized access. It affects versions up to 1.7.2.
Yes, if you are using Masteriyo LMS version 1.7.2 or earlier, you are vulnerable to this privilege escalation flaw.
Upgrade Masteriyo LMS to version 1.7.3 or later to resolve the vulnerability. If immediate upgrade isn't possible, restrict access to the plugin's admin interface.
As of now, there are no publicly known active exploits, but the high CVSS score indicates a potential for exploitation.
Refer to the Masteriyo website and WordPress plugin directory for the latest security advisories and updates related to CVE-2024-24882.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.