Multiple critical vulnerabilities were discovered in a popular WordPress plugin MasterStudy LMS, that has over 10,000 active installations. The reported vulnerabilities, if exploited, could allow an unauthenticated attacker to escalate privileges, potentially granting themselves administrative access, and include and execute arbitrary files on the server, leading to potential code execution and data theft. And possibly uploading a web-shell and gaining access to the whole server.
The first reported vulnerability, a Privilege Escalation vulnerability (CVE-2024-2409), was discovered in versions up to and including 3.3.1 of the MasterStudy LMS plugin. An unauthenticated attacker could exploit this vulnerability to register a user with administrator-level privileges when the MasterStudy LMS Pro plugin is installed and the LMS Forms Editor add-on is enabled.
The second vulnerability, a Local File Inclusion vulnerability (CVE-2024-2411), was found in versions up to and including 3.3.0 of the plugin. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server via the ‘modal’ parameter. This could lead to code execution, data theft, and bypassing access controls, especially in cases where images and other “safe” file types can be uploaded and included.
A third Local File Inclusion vulnerability (CVE-2024-3136) was also discovered in versions up to and including 3.3.3 of the plugin. This vulnerability is similar to the second one, but it allows unauthenticated attackers to include and execute arbitrary files on the server via the ‘template’ parameter.
These vulnerabilities were disclosed and reported by security researcher Hiroho Shimada through the Wordfence Bug Bounty Program. For their efforts, the researcher was awarded a total bounty of $937.00.
Users of the MasterStudy LMS WordPress plugin should update MasterStudy LMS plugin to the latest patched version (3.3.4 at the time of writing) immediately to avoid the risk of exploitation.