The article discusses a Privilege Escalation vulnerability found in the Academy LMS WordPress plugin, affecting versions up to 1.9.19, which allows authenticated attackers to elevate their privileges to that of a site administrator. The vulnerability allows users to make arbitrary updates to user metadata, granting themselves administrative privileges. This potential exploit was discovered during Wordfence’s Bug Bounty Program Extravaganza and reported by Lucio Sá. The researcher earned a bounty of $1,313.00 for this discovery, and the Academy LMS Team promptly responded with a patch, releasing version 1.9.20 on February 19, 2024.
The article provides a technical analysis of the vulnerability, detailing how the insecure implementation of the ‘saved_user_info()’ function in the plugin allows for arbitrary user meta updates. This opens the door for attackers to manipulate their capabilities and grant themselves administrator privileges. The article emphasizes the risks associated with Privilege Escalation vulnerabilities, highlighting the potential for complete site compromise and the ability for attackers to manipulate site content and upload malicious files.
The disclosure timeline is also outlined, demonstrating the prompt response from both Wordfence and the Academy LMS Team in addressing the vulnerability and releasing a patched version of the plugin.
Wordfence users, including those with Premium, Care, and Response versions, as well as those using the free plugin, are fully protected against the vulnerability. The article urges users to update their sites with the latest patched version of Academy LMS to ensure their security.
In conclusion, the article stresses the significance of the Privilege Escalation vulnerability and the importance of updating to the latest version of the plugin. It encourages users to share the advisory to ensure the security of their websites. The vulnerability has been fully addressed in version 1.9.20 of the Academy LMS plugin, and Wordfence users are protected from potential exploits.
Read Full Article