CVE-2024-33912 – This CVE describes a missing authorization vuln... (How to Fix)

Q: What is the severity of CVE-2024-33912?

CVE-2024-33912 has a CVSS score of 7.1 (HIGH). This CVE describes a missing authorization vulnerability in the Academy LMS WordPress plugin that allows unauthorized access to paid courses. Attackers can bypass payment requirements and access restricted content. All WordPress sites using Academy LMS versions up to 1.9.16 are affected.

📋 TL;DR

This CVE describes a missing authorization vulnerability in the Academy LMS WordPress plugin that allows unauthorized access to paid courses. Attackers can bypass payment requirements and access restricted content. All WordPress sites using Academy LMS versions up to 1.9.16 are affected.

💻 Affected Systems

Products:

Academy LMS WordPress Plugin

Versions: n/a through 1.9.16

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations using vulnerable Academy LMS plugin versions.

📦 What is this software?

Academy Lms by Kodezen

View all CVEs affecting Academy Lms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to all paid courses, potentially accessing premium content without payment, leading to revenue loss and intellectual property theft.

🟠

Likely Case

Unauthorized users access paid course materials they haven't purchased, resulting in lost revenue and potential content piracy.

🟢

If Mitigated

Proper authorization checks prevent unauthorized access, maintaining course integrity and revenue streams.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user-level access but no special privileges. Attackers can manipulate course access controls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.17 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/academy/wordpress-academy-lms-plugin-1-9-16-broken-access-control-on-paid-courses-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find Academy LMS plugin
4. Click 'Update Now' if update available
5. Alternatively, download version 1.9.17+ from WordPress repository
6. Deactivate old plugin, upload new version, activate

🔧 Temporary Workarounds

Temporary Access Restriction

all

Disable course enrollment until patch is applied

IP-Based Restriction

all

Restrict access to course pages to authorized IP ranges

🧯 If You Can't Patch

Disable the Academy LMS plugin temporarily
Implement web application firewall rules to block unauthorized course access patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Academy LMS version. If version is 1.9.16 or earlier, system is vulnerable.

Check Version:

wp plugin list --name=academy --field=version

Verify Fix Applied:

Verify Academy LMS plugin version is 1.9.17 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to paid course URLs
Multiple failed payment attempts followed by successful course access
User accessing courses without corresponding payment records

Network Indicators:

HTTP requests to course endpoints without proper authorization headers
Unusual access patterns to /wp-content/plugins/academy/ endpoints

SIEM Query:

source="wordpress.log" AND ("academy-lms" OR "/academy/") AND ("unauthorized" OR "access denied")

📊 Metadata

CVE ID: CVE-2024-33912

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-862

Published: May 6, 2024

Last Updated: February 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33912, you might also want to check these: