CVE-2024-12172
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to update arbitrary user metadata due to a missing capability check. Attackers can block administrators from accessing their sites by setting wp_capabilities to 0. All WordPress sites using the WP Courses LMS plugin up to version 3.2.21 are affected.
💻 Affected Systems
- WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrators are completely locked out of their WordPress sites, requiring database-level intervention to restore access, potentially leading to extended downtime and data loss.
Likely Case
Attackers with subscriber accounts modify administrator capabilities to disrupt site management, causing operational disruption and potential privilege escalation.
If Mitigated
With proper access controls and monitoring, impact is limited to temporary disruption that can be quickly detected and remediated.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has any WordPress user account. The vulnerability is publicly documented with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.22 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3203679%40wp-courses&new=3203679%40wp-courses&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP Courses LMS' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.2.22+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the WP Courses LMS plugin until patched
wp plugin deactivate wp-courses
Restrict user registration
allDisable new user registration to prevent attackers from obtaining accounts
Update WordPress Settings → General → Membership to uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement strict access controls and monitor user activity logs for suspicious metadata modifications
- Use web application firewall rules to block requests to the vulnerable wpc_update_user_meta_option() function
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for WP Courses LMS version. If version is 3.2.21 or lower, the system is vulnerable.Check Version:
wp plugin get wp-courses --field=versionVerify Fix Applied:
Verify plugin version is 3.2.22 or higher in WordPress admin panel. Test that authenticated users cannot modify other users' metadata.📡 Detection & Monitoring
Log Indicators:
- Unusual user_meta updates in WordPress database logs
- Multiple failed login attempts followed by successful subscriber login and metadata modifications
- Administrator accounts suddenly losing capabilities
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action parameter containing 'wpc_update_user_meta_option'
SIEM Query:
source="wordpress_logs" action="user_meta_update" user_role="subscriber" target_user_role="administrator"