CVE-2024-43158 – This CVE describes a missing authorization vuln... (How to Fix)

Q: What is the severity of CVE-2024-43158?

CVE-2024-43158 has a CVSS score of 7.5 (HIGH). This CVE describes a missing authorization vulnerability in the Masteriyo LMS WordPress plugin that allows attackers to access functionality not properly constrained by access control lists. Attackers can perform actions intended only for authorized users, potentially modifying course content or accessing sensitive data. All WordPress sites running Masteriyo LMS versions up to 1.11.4 are affected.

📋 TL;DR

This CVE describes a missing authorization vulnerability in the Masteriyo LMS WordPress plugin that allows attackers to access functionality not properly constrained by access control lists. Attackers can perform actions intended only for authorized users, potentially modifying course content or accessing sensitive data. All WordPress sites running Masteriyo LMS versions up to 1.11.4 are affected.

💻 Affected Systems

Products:

Masteriyo - LMS WordPress Plugin

Versions: n/a through 1.11.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions regardless of configuration.

📦 What is this software?

Masteriyo by Masteriyo

View all CVEs affecting Masteriyo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify or delete course content, access student data, manipulate user roles, or compromise the entire LMS functionality.

🟠

Likely Case

Unauthorized users accessing or modifying course materials, viewing restricted content, or performing administrative actions without proper permissions.

🟢

If Mitigated

Proper authorization checks prevent unauthorized access, limiting users to their assigned roles and permissions only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some user access but bypasses authorization checks for specific functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.5 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/learning-management-system/wordpress-masteriyo-lms-plugin-1-11-4-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Masteriyo LMS and click 'Update Now'. 4. Verify update to version 1.11.5 or later.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the Masteriyo LMS plugin until patched

wp plugin deactivate masteriyo

Web Application Firewall Rules

all

Implement WAF rules to block suspicious API calls to Masteriyo endpoints

🧯 If You Can't Patch

Implement strict network segmentation to isolate the WordPress instance
Add additional authentication layer or IP whitelisting for admin functions

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Masteriyo LMS version. If version is 1.11.4 or earlier, system is vulnerable.

Check Version:

wp plugin get masteriyo --field=version

Verify Fix Applied:

Verify plugin version is 1.11.5 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unauthorized API calls to Masteriyo endpoints
User role escalation attempts
Unexpected course/content modifications

Network Indicators:

Unusual POST/PUT requests to /wp-json/masteriyo/* endpoints from unauthorized IPs

SIEM Query:

source="wordpress.log" AND ("masteriyo" AND ("unauthorized" OR "permission denied" OR "403"))

📊 Metadata

CVE ID: CVE-2024-43158

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-862

Published: November 1, 2024

Last Updated: May 28, 2025

🔗 References

https://patchstack.com/database/vulnerability/learning-management-system/wordpress-masteriyo-lms-plugin-1-11-4-broken-access-control-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43158, you might also want to check these: