LMS by Masteriyo < 1.6.8 - Information Exposure

Vulnerability

The LMS by Masteriyo WordPress plugin versions before 1.6.8 lacks proper authorization checks in certain REST API endpoints. This security flaw allows any authenticated student to retrieve the email addresses of other students. The vulnerability is present in all versions prior to the fix released in version 1.6.8 [1].

Exploitation

An attacker needs only a valid student account on the WordPress site using the vulnerable plugin. By sending crafted requests to the affected REST API endpoints, the attacker can enumerate or directly access email addresses of other students without needing any additional privileges or user interaction [1].

Impact

Successful exploitation leads to unauthorized disclosure of sensitive personal information (email addresses) of other students. This violates user privacy and could be leveraged for phishing, spam campaigns, or further targeted attacks. The impact is limited to information disclosure (confidentiality breach) and does not grant code execution or system access [1].

Mitigation

The vulnerability is fixed in version 1.6.8 of the LMS by Masteriyo plugin [1]. Users should update to this version or later immediately. No workarounds are mentioned in the available references. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.