CVE-2024-10008 in Masteriyo LMS Plugininfo

Summary

by MITRE • 10/29/2024

The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to unauthorized user profile modification due to missing authorization checks on the /wp-json/masteriyo/v1/users/$id REST API endpoint in all versions up to, and including, 1.13.3. This makes it possible for authenticated attackers, with student-level access and above, to modify the roles of arbitrary users. As a result, attackers can escalate their privileges to the Administrator and demote existing administrators to students.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/17/2025

The vulnerability identified as CVE-2024-10008 affects the Masteriyo LMS plugin for WordPress, specifically targeting the REST API endpoint at /wp-json/masteriyo/v1/users/$id. This issue represents a critical authorization flaw that undermines the security model of WordPress installations using this plugin. The vulnerability exists in all versions up to and including 1.13.3, making it a widespread concern for administrators who have not yet updated their systems. The flaw allows authenticated attackers with student-level privileges or higher to manipulate user roles through the REST API, fundamentally compromising the principle of least privilege that governs user access control in web applications.

The technical implementation of this vulnerability stems from the absence of proper authorization validation within the plugin's REST API handlers. When an attacker makes a request to the specific endpoint, the system fails to verify whether the requesting user has sufficient privileges to modify the target user's role. This missing authorization check creates an arbitrary user modification vector that bypasses WordPress's built-in user management controls. The vulnerability manifests as a lack of access control enforcement at the application layer, where the system should validate that the authenticated user possesses administrative rights before allowing role modifications. This weakness aligns with CWE-862, which describes insufficient authorization vulnerabilities in software systems, and represents a clear violation of the principle that role-based access control should be enforced at all API endpoints.

The operational impact of this vulnerability is severe and multifaceted, as it enables privilege escalation attacks that can completely compromise the WordPress installation's security posture. An attacker with student-level access can elevate their privileges to administrator status, effectively gaining complete control over the website's content, users, and configuration settings. Additionally, the vulnerability allows for the demotion of existing administrators to student roles, which can result in unauthorized access to sensitive information and potential data manipulation. This capability creates a dangerous attack surface where malicious actors can not only take control of the system but also systematically remove legitimate administrative access, making the compromise more persistent and difficult to detect. The attack vector is particularly concerning because it leverages the legitimate REST API functionality, making it harder to distinguish from normal system operations.

Organizations using the Masteriyo LMS plugin must implement immediate mitigation strategies to protect their WordPress installations from exploitation of this vulnerability. The primary and most effective solution is to update to the latest version of the plugin where the authorization checks have been properly implemented and validated. System administrators should also consider implementing additional monitoring of REST API endpoints for unusual activity patterns, particularly around user role modification requests. Network-level controls such as API rate limiting and access restrictions can provide additional defense-in-depth measures. Security teams should also conduct comprehensive user access reviews to identify any unauthorized privilege escalation that may have occurred. From an ATT&CK framework perspective, this vulnerability maps to T1078 Privilege Escalation and T1566 Credential Access, as it enables attackers to gain elevated privileges through legitimate system interfaces. The remediation process should include both immediate patching and long-term security monitoring to prevent similar authorization failures in other plugins or custom applications within the WordPress ecosystem.

Reservation

10/15/2024

Disclosure

10/29/2024

Moderation

accepted

CPE

ready

EPSS

0.00623

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!