Plateforme
wordpress
Composant
learning-management-system
Corrigé dans
1.7.3
CVE-2024-24882 describes an Improper Privilege Management vulnerability within the Masteriyo LMS plugin for WordPress. This flaw allows attackers to escalate privileges, potentially gaining complete control over the affected WordPress site. Versions of Masteriyo LMS prior to 1.7.3 are vulnerable, and a patch has been released in version 1.7.3.
The Privilege Escalation vulnerability in Masteriyo LMS allows an attacker to bypass intended access controls and perform actions they are not authorized to do. This could involve modifying user roles, accessing sensitive data, installing malicious plugins, or even taking complete control of the WordPress installation. The potential impact is severe, as a successful exploit could lead to data breaches, website defacement, and disruption of services. Given the plugin's function in managing learning content and user access, the compromise could expose student data and intellectual property.
CVE-2024-24882 was publicly disclosed on 2024-05-17. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability's criticality (CVSS 9.8) suggests a high probability of exploitation if a suitable exploit is developed and released. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Masteriyo LMS plugin, particularly those running versions prior to 1.7.3, are at significant risk. Shared hosting environments where multiple WordPress installations share the same server resources are also at increased risk, as a compromise of one site could potentially lead to lateral movement to others.
• wordpress / composer / npm:
wp plugin list | grep Masteriyo• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r 'masteriyo_lms_settings' /var/www/html/wp-content/plugins/• generic web: Check WordPress plugin directory for updated version and security advisories.
disclosure
Statut de l'Exploit
EPSS
48.28% (percentile 98%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-24882 is to immediately upgrade Masteriyo LMS to version 1.7.3 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider restricting access to the LMS plugin's administrative interface to trusted users only. Implement strong password policies and multi-factor authentication for all WordPress administrator accounts. Regularly review user roles and permissions to ensure they align with the principle of least privilege. While a WAF cannot directly prevent this vulnerability, it can help detect and block suspicious activity related to privilege escalation attempts.
Mettez à jour le plugin LMS by Masteriyo vers la dernière version disponible. La vulnérabilité d'élévation de privilèges a été corrigée dans les versions ultérieures à la 1.7.2. Pour mettre à jour, accédez au tableau de bord d'administration de WordPress, section 'Plugins' et recherchez 'LMS by Masteriyo' pour le mettre à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-24882 is a critical vulnerability in Masteriyo LMS for WordPress that allows attackers to escalate privileges and gain unauthorized access. It affects versions up to 1.7.2.
Yes, if you are using Masteriyo LMS version 1.7.2 or earlier, you are vulnerable to this privilege escalation flaw.
Upgrade Masteriyo LMS to version 1.7.3 or later to resolve the vulnerability. If immediate upgrade isn't possible, restrict access to the plugin's admin interface.
As of now, there are no publicly known active exploits, but the high CVSS score indicates a potential for exploitation.
Refer to the Masteriyo website and WordPress plugin directory for the latest security advisories and updates related to CVE-2024-24882.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.