8.8

CVE-2024-1505

EPSS 0.13%
Veröffentlicht 13.03.2024 16:15:23
Zuletzt bearbeitet 22.01.2025 20:57:20
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Academy LMS – eLearning and online course solution for WordPress <= 1.9.19 - Authenticated (Subscriber+) Privilege Escalation

The Academy LMS – eLearning and online course solution for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.9.19. This is due to plugin allowing arbitrary user meta updates through the saved_user_info() function. This makes it possible for authenticated attackers, with minimal permissions such as students, to elevate their user role to that of an administrator.

Mögliche Gegenmaßnahme

Academy LMS – WordPress LMS Plugin for Complete eLearning Solution: Update to version 1.9.20, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 6

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

Version *-1.9.19

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Kodezen ≫ Academy Lms SwPlatformwordpress Version < 1.9.20

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.13%	0.339

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://plugins.trac.wordpress.org/changeset/3037880/academy#file473

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/b150f90a-ccb7-4c19-a4b3-eaf9ec264ba8?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/b150f90a-ccb7-4c19-a4b3-eaf9ec264ba8

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-1505

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-1505

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-1505

EUVD