CVE-2024-8350

Name of the Vulnerable Software and Affected Versions: Uncanny Groups for LearnDash plugin for WordPress versions up to, and including, 6.1.0.1

Description: The issue allows authenticated attackers with group leader-level access and above to exploit a missing capability check on the "/wp-json/ulgm management/v1/add user/" REST API endpoint. This enables them to add users to their group, potentially leading to privilege escalation by leveraging the ability to change admin account email addresses, which can subsequently lead to admin account access.

Recommendations: For versions up to, and including, 6.1.0.1, update to a version that includes a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the "/wp-json/ulgm management/v1/add user/" API endpoint until a patch is available. Restrict group leader-level access and above to minimize the risk of exploitation.