Plataforma
wordpress
Componente
masterstudy-lms-learning-management-system
Corrigido em
3.2.6
CVE-2024-1512 describes a critical SQL Injection vulnerability affecting the MasterStudy LMS WordPress plugin, a popular tool for creating and managing online courses. This vulnerability allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions of the plugin up to and including 3.2.5. A patch is available; users are strongly advised to upgrade immediately.
The SQL Injection vulnerability in MasterStudy LMS allows attackers to craft malicious SQL queries through the 'user' parameter of the /lms/stm-lms/order/items REST endpoint. Successful exploitation can lead to the extraction of sensitive information stored within the WordPress database. This includes user credentials, course content, payment details, and other confidential data. The lack of authentication requirements means that any attacker can attempt to exploit this vulnerability. A successful attack could result in significant data breaches, reputational damage, and potential legal repercussions for website owners.
CVE-2024-1512 was publicly disclosed on February 17, 2024. While no active exploitation campaigns have been definitively confirmed, the vulnerability's CRITICAL severity and ease of exploitation make it a high-priority target. The lack of authentication required significantly increases the attack surface. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Websites utilizing the MasterStudy LMS plugin for online courses, particularly those running versions prior to 3.2.5, are at significant risk. Shared hosting environments are especially vulnerable as they often have limited control over plugin updates and security configurations. Sites relying on the plugin for sensitive data management, such as user registration and payment processing, face the highest potential impact.
• wordpress / composer / npm:
grep -r "stm_lms/order/items" /var/www/html/wp-content/plugins/masterstudy-lms/• wordpress / composer / npm:
wp plugin list | grep masterstudy-lms• wordpress / composer / npm:
wp plugin update masterstudy-lms• generic web: Check WordPress plugin directory for updated version and security advisory.
disclosure
Status do Exploit
EPSS
93.56% (percentil 100%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-1512 is to upgrade the MasterStudy LMS plugin to a version that includes the security fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter requests to the /lms/stm-lms/order/items endpoint, specifically targeting suspicious SQL injection patterns in the 'user' parameter. Additionally, carefully review and sanitize all user inputs within the plugin's code to prevent future SQL injection vulnerabilities. After upgrading, verify the fix by attempting a SQL injection payload via the affected endpoint and confirming that it is properly sanitized.
Actualice el plugin MasterStudy LMS WordPress Plugin a la versión más reciente disponible. La versión 3.2.6 o superior corrige esta vulnerabilidad de inyección SQL.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-1512 is a critical SQL Injection vulnerability in the MasterStudy LMS WordPress plugin affecting versions up to 3.2.5, allowing attackers to extract sensitive data.
You are affected if you are using MasterStudy LMS plugin versions 3.2.5 or earlier. Check your plugin version and upgrade immediately.
Upgrade the MasterStudy LMS plugin to the latest available version that includes the security fix. Consider a WAF as a temporary mitigation.
While no confirmed active exploitation is public, the vulnerability's severity and ease of exploitation make it a high-priority target. Monitoring is crucial.
Refer to the MasterStudy LMS plugin website and WordPress plugin directory for the latest security advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.