CVE-2024-10008

Name of the Vulnerable Software and Affected Versions Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress versions up to, and including, 1.13.3

Description The issue is related to missing authorization checks on the "/wp-json/masteriyo/v1/users/$id" REST API endpoint. This allows authenticated attackers with student-level access and above to modify the roles of arbitrary users, potentially escalating their privileges to Administrator and demoting existing administrators to students.

Recommendations For versions up to, and including, 1.13.3, update to a version higher than 1.13.3 to resolve the issue. As a temporary workaround, consider restricting access to the "/wp-json/masteriyo/v1/users/$id" API endpoint until a patch is available. Restrict access to the users endpoint to minimize the risk of exploitation. Avoid using the id variable in the affected API endpoint until the issue is resolved.