平台
wordpress
组件
learning-management-system
修复版本
1.7.3
CVE-2024-24882 describes an Improper Privilege Management vulnerability within the Masteriyo LMS plugin for WordPress. This flaw allows attackers to escalate privileges, potentially gaining complete control over the affected WordPress site. Versions of Masteriyo LMS prior to 1.7.3 are vulnerable, and a patch has been released in version 1.7.3.
The Privilege Escalation vulnerability in Masteriyo LMS allows an attacker to bypass intended access controls and perform actions they are not authorized to do. This could involve modifying user roles, accessing sensitive data, installing malicious plugins, or even taking complete control of the WordPress installation. The potential impact is severe, as a successful exploit could lead to data breaches, website defacement, and disruption of services. Given the plugin's function in managing learning content and user access, the compromise could expose student data and intellectual property.
CVE-2024-24882 was publicly disclosed on 2024-05-17. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability's criticality (CVSS 9.8) suggests a high probability of exploitation if a suitable exploit is developed and released. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Masteriyo LMS plugin, particularly those running versions prior to 1.7.3, are at significant risk. Shared hosting environments where multiple WordPress installations share the same server resources are also at increased risk, as a compromise of one site could potentially lead to lateral movement to others.
• wordpress / composer / npm:
wp plugin list | grep Masteriyo• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r 'masteriyo_lms_settings' /var/www/html/wp-content/plugins/• generic web: Check WordPress plugin directory for updated version and security advisories.
disclosure
漏洞利用状态
EPSS
48.28% (98% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-24882 is to immediately upgrade Masteriyo LMS to version 1.7.3 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider restricting access to the LMS plugin's administrative interface to trusted users only. Implement strong password policies and multi-factor authentication for all WordPress administrator accounts. Regularly review user roles and permissions to ensure they align with the principle of least privilege. While a WAF cannot directly prevent this vulnerability, it can help detect and block suspicious activity related to privilege escalation attempts.
将 LMS by Masteriyo 插件更新到最新可用版本。权限提升 (Privilege Escalation) 漏洞已在 1.7.2 之后的版本中修复。要更新,请访问 WordPress 管理面板,'插件' 部分,查找 'LMS by Masteriyo' 以进行更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-24882 is a critical vulnerability in Masteriyo LMS for WordPress that allows attackers to escalate privileges and gain unauthorized access. It affects versions up to 1.7.2.
Yes, if you are using Masteriyo LMS version 1.7.2 or earlier, you are vulnerable to this privilege escalation flaw.
Upgrade Masteriyo LMS to version 1.7.3 or later to resolve the vulnerability. If immediate upgrade isn't possible, restrict access to the plugin's admin interface.
As of now, there are no publicly known active exploits, but the high CVSS score indicates a potential for exploitation.
Refer to the Masteriyo website and WordPress plugin directory for the latest security advisories and updates related to CVE-2024-24882.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。