Masteriyo LMS – eLearning and Online Course Builder for WordPress <= 1.13.3 - Authenticated (Student+) Missing Authorization to Privilege Escalation

Vulnerability

The Masteriyo LMS – eLearning and Online Course Builder WordPress plugin (versions up to and including 1.13.3) contains a missing authorization check on the /wp-json/masteriyo/v1/users/$id REST API endpoint. The endpoint in UsersController.php lacks proper permission verification, allowing authenticated users with student-level access or higher to modify user roles [1].

Exploitation

An attacker needs only an authenticated session with student-level privileges (the default role for registered users) on a WordPress site running the vulnerable plugin. By sending a crafted HTTP request to the /wp-json/masteriyo/v1/users/$id endpoint with parameters to change a user's role (e.g., to "administrator"), the attacker can escalate their own privileges or demote existing administrators [1].

Impact

Successful exploitation allows the attacker to assign themselves or another user the Administrator role, gaining full control over the WordPress site. Additionally, the attacker can change existing administrators to students, effectively locking them out of administrative functions. This results in complete compromise of site integrity, confidentiality, and availability [1].

Mitigation

The vulnerability is fixed in version 2.2.1 of the plugin, as indicated by the plugin's changelog and version metadata [2]. Users should immediately update to version 2.2.1 or later. No workaround is available for earlier versions; the only mitigation is to update the plugin.