Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

WordPress Plugin Academy LMS-eLearning and online course solution for WordPress Multiple Security Bypass Vulnerabilities (1.9.16)

Description

WordPress Plugin Academy LMS-eLearning and online course solution for WordPress is prone to multiple security bypass vulnerabilities. Exploiting these issues may allow attackers to perform otherwise restricted actions and subsequently enroll in paid courses for free. WordPress Plugin Academy LMS-eLearning and online course solution for WordPress version 1.9.16 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.9.17 or latest

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/academy/academy-lms-1916-missing-authorization

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/academy/academy-lms-1916-missing-authorization-1

https://plugins.svn.wordpress.org/academy/trunk/readme.txt

Related Vulnerabilities

WordPress Plugin Simple Page Ordering Cross-Site Scripting (2.2.1)

Next.js CVE-2022-21721 Vulnerability (CVE-2022-21721)

WordPress Plugin FourSquare Checkins Cross-Site Request Forgery (1.2)

WordPress 4.3.x Multiple Vulnerabilities (4.3 - 4.3.2)

WordPress Plugin Booking Calendar PHP Object Injection (9.1)

Severity

High

Classification

CVE-2024-32714 CVE-2024-33912 CWE-862 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass