What is the CVSS score of CVE-2024-24882?

CVE-2024-24882 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 31.5%.

Which versions of Masteriyo LMS are affected by CVE-2024-24882?

The Masteriyo LMS WordPress plugin (versions ≤1.7.2) contains a critical privilege escalation flaw (CVSS 9.8) allowing remote unauthenticated attackers to grant themselves administrative access.

Is there a public PoC exploit available for CVE-2024-24882?

Yes, a public proof-of-concept exploit is available for CVE-2024-24882. Prioritise patching immediately. EPSS: 31.5%.

How to fix or mitigate CVE-2024-24882?

Within 24 hours: Audit all WordPress installations for Masteriyo LMS presence; immediately deactivate and isolate affected instances to prevent lateral movement. Within 7 days: Evaluate alternative LMS platforms and begin migration planning. Within 30 days: Complete removal of the plugin or transition to patched versions when vendor releases a fix-confirm patched version status before re-enablement.

Masteriyo LMS CVE-2024-24882

CRITICAL

Incorrect Privilege Assignment (CWE-266)

2024-05-17 audit@patchstack.com

Information Disclosure

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

CVE Published

May 17, 2024 - 09:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in masteriyo Masteriyo - LMS learning-management-system.This issue affects Masteriyo - LMS: from n/a through <= 1.7.2.

AnalysisAI

Privilege escalation in the Masteriyo LMS WordPress plugin (versions up to and including 1.7.2) allows remote unauthenticated attackers to assign themselves elevated privileges due to incorrect privilege assignment logic. With a CVSS score of 9.8 and an EPSS score of 31.54% (97th percentile), this flaw poses significant real-world risk, though no public exploit is identified at time of analysis and it is not listed in CISA KEV.

Technical ContextAI

Masteriyo is a WordPress-based Learning Management System (LMS) plugin developed by ThemeGrill (CPE: cpe:2.3:a:themegrill:masteriyo), used to deliver online courses on WordPress sites. The root cause is CWE-266 (Incorrect Privilege Assignment), meaning the plugin assigns privileges to users or roles in a way that does not match the intended access control model - typically allowing low-privilege or unauthenticated actors to obtain higher-privileged capabilities (such as instructor or administrator-equivalent rights) on the WordPress site. Because WordPress plugins execute in the same context as core and share the database, a privilege flaw here can translate into broad control over course content, student PII, and potentially the wider site.

RemediationAI

Upgrade the Masteriyo - LMS plugin to a version newer than 1.7.2 as published by the vendor on the WordPress plugin repository; the exact fixed version is not specified in the available input data, so administrators should consult the Patchstack advisory and the plugin changelog to identify the first patched release. If immediate patching is not possible, restrict access to the WordPress site's REST API and plugin endpoints (e.g., /wp-json/masteriyo/*) via a Web Application Firewall or .htaccess rules, deactivate the Masteriyo plugin until it can be updated (side effect: course pages and student access will be unavailable), and audit existing user accounts and roles for unauthorized privilege grants. Consider deploying Patchstack or a comparable virtual patching service that may already mitigate this CVE at the WAF layer.

CVE-2024-24882 vulnerability details – vuln.today

Back

Masteriyo LMS CVE-2024-24882

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code