CVE-2024-43239 – WordPress Masteriyo LMS plugin <= 1.11.4 - Insecure Direct Object Reference (IDOR) vulnerability
https://notcve.org/view.php?id=CVE-2024-43239
Authorization Bypass Through User-Controlled Key vulnerability in Masteriyo Masteriyo - LMS.This issue affects Masteriyo - LMS: from n/a through 1.11.4. The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.11.4 due to missing validation on the 'course_id' user controlled key. This makes it possible for authenticated attackers, with student-level access and above, to review courses they don't have access to. • https://patchstack.com/database/vulnerability/learning-management-system/wordpress-masteriyo-lms-plugin-1-11-4-insecure-direct-object-reference-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2024-43158 – WordPress Masteriyo LMS plugin <= 1.11.4 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-43158
Missing Authorization vulnerability in Masteriyo Masteriyo - LMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masteriyo - LMS: from n/a through 1.11.4. The Masteriyo - LMS plugin for WordPress is vulnerable to unauthorized access of dat due to a missing capability check on several REST API endpoints in versions up to, and including, 1.11.4. This makes it possible for unauthenticated attackers to view password protected content. • https://patchstack.com/database/vulnerability/learning-management-system/wordpress-masteriyo-lms-plugin-1-11-4-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2024-43159 – WordPress Masteriyo LMS plugin <= 1.11.6 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-43159
Missing Authorization vulnerability in Masteriyo Masteriyo - LMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masteriyo - LMS: from n/a through 1.11.6. The Masteriyo - LMS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_item() function in versions up to, and including, 1.11.6. This makes it possible for unauthenticated attackers to see courses they should not have access to. • https://patchstack.com/database/vulnerability/learning-management-system/wordpress-masteriyo-lms-plugin-1-11-6-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2024-5588 – itsourcecode Learning Management System processscore.php sql injection
https://notcve.org/view.php?id=CVE-2024-5588
A vulnerability was found in itsourcecode Learning Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file processscore.php. The manipulation of the argument LessonID leads to sql injection. The attack can be launched remotely. • https://github.com/Lanxiy7th/lx_CVE_report-/issues/12 https://vuldb.com/?ctiid.266839 https://vuldb.com/?id.266839 https://vuldb.com/?submit.347576 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2024-33939 – Masteriyo - LMS <= 1.7.3 - Insecure Direct Object Reference
https://notcve.org/view.php?id=CVE-2024-33939
The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.7.3 via the REST API due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view other users course progress. • CWE-639: Authorization Bypass Through User-Controlled Key •