CVE-2024-2409
📋 TL;DR
This vulnerability allows unauthenticated attackers to create administrator accounts on WordPress sites running the MasterStudy LMS plugin. It affects all WordPress installations using MasterStudy LMS versions up to 3.3.1 when the Pro version and LMS Forms Editor add-on are enabled. Attackers can gain full control of affected websites without any authentication.
💻 Affected Systems
- MasterStudy LMS WordPress plugin
📦 What is this software?
Masterstudy Lms by Stylemixthemes
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover with attacker gaining administrator privileges, installing backdoors, stealing sensitive data, defacing the site, or using it for further attacks.
Likely Case
Attackers create administrator accounts to maintain persistent access, install malware, or use the compromised site for phishing campaigns.
If Mitigated
With proper monitoring and access controls, unauthorized admin accounts could be detected and removed before significant damage occurs.
🎯 Exploit Status
Exploitation requires sending a crafted AJAX request to wp-admin/admin-ajax.php with specific parameters to trigger the vulnerable function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.2
Vendor Advisory: https://docs.stylemixthemes.com/masterstudy-lms/changelog-free-version#id-3.3.2
Restart Required: No
Instructions:
1. Update MasterStudy LMS plugin to version 3.3.2 or higher via WordPress admin dashboard. 2. Verify the update completed successfully. 3. Check that no unauthorized administrator accounts exist.
🔧 Temporary Workarounds
Disable LMS Forms Editor add-on
allTemporarily disable the vulnerable LMS Forms Editor add-on in MasterStudy LMS Pro settings
Restrict AJAX endpoint access
linuxUse web application firewall or .htaccess to restrict access to wp-admin/admin-ajax.php from untrusted sources
# Example .htaccess rule to restrict admin-ajax.php
<Files "admin-ajax.php">
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24 # Allow only internal IPs
</Files>
🧯 If You Can't Patch
- Disable MasterStudy LMS Pro plugin entirely until patched
- Implement strict monitoring for new user registrations and administrator account creation
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin dashboard for MasterStudy LMS plugin version. If version is 3.3.1 or lower AND MasterStudy LMS Pro is installed AND LMS Forms Editor is enabled, the site is vulnerable.Check Version:
wp plugin list --name=masterstudy-lms --field=versionVerify Fix Applied:
Verify plugin version is 3.3.2 or higher in WordPress admin dashboard. Test that unauthenticated user registration no longer allows administrator role assignment.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=stm_lms_register
- New administrator user accounts created from unexpected IP addresses
- Multiple failed registration attempts followed by successful admin creation
Network Indicators:
- HTTP POST requests to admin-ajax.php with stm_lms_register parameter from external IPs
- Unusual spikes in traffic to WordPress AJAX endpoints
SIEM Query:
source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND http_method="POST" AND (form_data CONTAINS "stm_lms_register" OR query_string CONTAINS "action=stm_lms_register")🔗 References
- https://docs.stylemixthemes.com/masterstudy-lms/changelog-free-version#id-3.3.2
- https://plugins.trac.wordpress.org/changeset/3059676/masterstudy-lms-learning-management-system
- https://www.wordfence.com/threat-intel/vulnerabilities/id/94736152-b365-4b3a-a786-ed49f7d0fc7a?source=cve
- https://docs.stylemixthemes.com/masterstudy-lms/changelog-free-version#id-3.3.2
- https://plugins.trac.wordpress.org/changeset/3059676/masterstudy-lms-learning-management-system
- https://www.wordfence.com/threat-intel/vulnerabilities/id/94736152-b365-4b3a-a786-ed49f7d0fc7a?source=cve
