CVE-2023-35093 WordPress MasterStudy LMS Plugin <= 3.0.8 is vulnerable to Broken Access Control

2023-06-2211:07:21

CWE-862

Patchstack

www.cve.org

cve-2023-35093

broken access control

stylemixthemes masterstudy lms

online courses

education

orders

user data

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

24.0%

JSON

Broken Access Control vulnerability in StylemixThemes MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin <= 3.0.8 versions allows any logged-in users, such as subscribers to view the “Orders” of the plugin and get the data related to the order like email, username, and more.

CNA Affected

[
  {
    "collectionURL": "https://wordpress.org/plugins",
    "defaultStatus": "unaffected",
    "packageName": "masterstudy-lms-learning-management-system",
    "product": "MasterStudy LMS WordPress Plugin – for Online Courses and Education",
    "vendor": "StylemixThemes",
    "versions": [
      {
        "lessThanOrEqual": "3.0.8",
        "status": "affected",
        "version": "n/a",
        "versionType": "custom"
      }
    ]
  }
]

References

patchstack.com/database/vulnerability/masterstudy-lms-learning-management-system/wordpress-masterstudy-lms-plugin-3-0-7-broken-access-control-vulnerability?_s_id=cve