$937 Bounty Awarded for Privilege Escalation and Local File Inclusion Vulnerabilities Patched in MasterStudy LMS WordPress Plugin
🎉 Did you know we’re running a Bug Bounty Extravaganza again?
Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!
On February 25th, 2024, during our second Bug Bounty Extravaganza, we received a submission for a Privilege Escalation vulnerability in MasterStudy LMS, a WordPress plugin with more than 10,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating user metadata during registration. The next day on February 26th, 2024, and later on March 31st, we also received submissions for a Local File Inclusion vulnerability in the MasterStudy LMS WordPress plugin. This vulnerability makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.
Props to Hiroho Shimada who discovered and responsibly reported these vulnerabilities through the Wordfence Bug Bounty Program. This researcher earned a bounty of $625.00 for the Privilege Escalation and $312.00 for the Local File Inclusion during our Bug Bounty Program Extravaganza. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting these vulnerabilities by the Wordfence firewall’s protection.
We contacted StylemixThemes on March 13, 2024, and received a response on the same day. After providing full disclosure details, the developer released the first patch on March 20, 2024, the second patch on March 27, 2024, and the third patch on April 4, 2024. We would like to commend StylemixThemes for their prompt response and timely patches.
We urge users to update their sites with the latest patched version of MasterStudy LMS, which is version 3.3.4, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Description: MasterStudy LMS $query_result,
)
);
The code reveals that there is no file path sanitization in this function which again makes it possible to include arbitrary PHP files from the server through the 'template'
parameter.
Disclosure Timeline
February 25, 2024 – We receive the submission of the Privilege Escalation vulnerability in MasterStudy LMS via the Wordfence Bug Bounty Program.
February 26, 2024 – We receive the submission of the Local File Inclusion via modal vulnerability in MasterStudy LMS via the Wordfence Bug Bounty Program.
February 28, 2024 – We validate the Local File Inclusion via modal vulnerability in MasterStudy LMS report and confirm the proof-of-concept exploit.
March 1, 2024 – We validate the Privilege Escalation vulnerability in MasterStudy LMS report and confirm the proof-of-concept exploit.
March 13, 2024 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
March 13, 2024 – The vendor confirms the inbox for handling the discussion.
March 14, 2024 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
March 20, 2024 – The fully patched version for the Local File Inclusion via modal vulnerability of the MasterStudy LMS plugin, 3.3.1, is released.
March 27, 2024 – The fully patched version for the Privilege Escalation vulnerability of the MasterStudy LMS plugin, 3.3.2, is released.
March 31, 2024 – We receive the submission of the Local File Inclusion via template vulnerability in MasterStudy LMS via the Wordfence Bug Bounty Program.
April 1, 2024 – We validate the Local File Inclusion via template vulnerability in MasterStudy LMS report and confirm the proof-of-concept exploit.
April 1, 2024 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
April 4, 2024 – The fully patched version for the Local File Inclusion via template vulnerability of the MasterStudy LMS plugin, 3.3.4, is released.
Conclusion
In this blog post, we detailed a Privilege Escalation vulnerability affecting versions 3.3.1 and earlier of the MasterStudy LMS plugin. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating user metadata during registration. The vulnerability has been fully addressed in version 3.3.2 of the plugin. We also detailed Local File Inclusion vulnerabilities affecting versions 3.3.3 and earlier of the MasterStudy LMS plugin. These vulnerabilities allow unauthenticated threat actors to include and execute PHP files on the server, allowing the execution of any PHP code in those files, which can be used for complete site compromise. The vulnerabilities have been fully addressed in version 3.3.4 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of MasterStudy LMS.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s protection.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.
Source: wordfence.com