CVE-2024-10008
📋 TL;DR
The Masteriyo LMS WordPress plugin has an authorization vulnerability that allows authenticated users with student-level access or higher to modify user roles via the REST API. Attackers can escalate their own privileges to Administrator or demote existing administrators to student roles. All WordPress sites using Masteriyo LMS versions up to 1.13.3 are affected.
💻 Affected Systems
- Masteriyo LMS – eLearning and Online Course Builder for WordPress
📦 What is this software?
Masteriyo by Masteriyo
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers gain administrator access, install backdoors, steal sensitive data, and disrupt operations by demoting legitimate administrators.
Likely Case
Attackers escalate their own privileges to administrator, then install malicious plugins/themes, modify content, or access sensitive user data.
If Mitigated
With proper network segmentation and monitoring, unauthorized privilege escalation attempts are detected and blocked before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via REST API calls. Student-level access is sufficient, which attackers can obtain through registration or compromised accounts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.13.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/learning-management-system/tags/1.13.4
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Masteriyo LMS plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, download version 1.13.4+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable REST API endpoint
allBlock access to the vulnerable /wp-json/masteriyo/v1/users/ endpoint using web server rules or WordPress filters.
Add to .htaccess (Apache): RewriteRule ^wp-json/masteriyo/v1/users/.*$ - [F,L]
Add to nginx config: location ~* ^/wp-json/masteriyo/v1/users/ { deny all; }
Restrict user registration
allTemporarily disable new user registration to prevent attackers from obtaining student accounts.
WordPress Settings → General → Membership: Uncheck 'Anyone can register'
🧯 If You Can't Patch
- Disable the Masteriyo LMS plugin entirely until patched
- Implement strict network access controls to limit REST API access to trusted IPs only
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Masteriyo LMS version. If version is 1.13.3 or lower, system is vulnerable.Check Version:
wp plugin list --name=masteriyo --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify version shows 1.13.4 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-json/masteriyo/v1/users/ with user ID parameter
- User role changes in WordPress user audit logs
- Multiple failed login attempts followed by successful student login
Network Indicators:
- REST API calls modifying user roles from unexpected IP addresses
- Sudden increase in API requests to user endpoints
SIEM Query:
source="web_access_logs" AND uri_path="/wp-json/masteriyo/v1/users/" AND (http_method="POST" OR http_method="PUT")