CVE-2024-12172

Name of the Vulnerable Software and Affected Versions WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress versions up to, and including, 3.2.21

Description The issue is related to unauthorized access due to a missing capability check on the wpc update user meta option() function. This allows authenticated attackers with Subscriber-level access and above to update arbitrary user's metadata. By setting wp capabilities to 0, an attacker can block an administrator from accessing their site.

Recommendations For versions up to, and including, 3.2.21, update to a version that includes a fix for the missing capability check in the wpc update user meta option() function. As a temporary workaround, consider restricting access to the wpc update user meta option() function until a patch is available.