CVE-2024-1512: Masterstudy LMS SQLi Vulnerability

CVE-2024-1512 Overview

The MasterStudy LMS WordPress Plugin for Online Courses and Education contains a critical union-based SQL Injection vulnerability in the user parameter of the /lms/stm-lms/order/items REST route. This vulnerability affects all versions up to and including 3.2.5 and stems from insufficient escaping of user-supplied input combined with inadequate preparation of SQL queries. Unauthenticated attackers can exploit this flaw to append malicious SQL queries to existing database queries, enabling extraction of sensitive information from the WordPress database.

Critical Impact
Unauthenticated attackers can extract sensitive data including user credentials, payment information, course content, and other confidential data from the WordPress database without any authentication requirements.

Affected Products

MasterStudy LMS WordPress Plugin versions up to and including 3.2.5
WordPress installations using the vulnerable MasterStudy LMS plugin
stylemixthemes masterstudy_lms

Discovery Timeline

2024-02-17 - CVE-2024-1512 published to NVD
2024-12-18 - Last updated in NVD database

Technical Details for CVE-2024-1512

Vulnerability Analysis

This SQL Injection vulnerability exists within the StmStatistics.php class file, specifically in the handling of the user parameter within the REST API endpoint /lms/stm-lms/order/items. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), which represents one of the most dangerous web application security flaws.

The flaw allows unauthenticated attackers to inject arbitrary SQL commands through the REST API, bypassing authentication entirely. Once exploited, attackers can perform UNION-based SQL injection attacks to combine results from multiple database tables, effectively extracting any data stored within the WordPress database including user credentials, course information, payment details, and site configuration data.

Root Cause

The root cause of this vulnerability lies in two fundamental security failures within the plugin's codebase:

Insufficient Input Escaping: The user parameter passed through the REST route is not properly sanitized or escaped before being incorporated into SQL queries. This allows special SQL characters and commands to pass through unfiltered.
Lack of Prepared Statements: The existing SQL query does not utilize WordPress's $wpdb->prepare() function or equivalent parameterized query mechanisms, which would otherwise prevent SQL injection by separating code from data.

The combination of these issues creates a direct path for attackers to manipulate database queries through the publicly accessible REST API endpoint.

Attack Vector

The attack vector is network-based and requires no authentication, making it particularly dangerous for internet-facing WordPress installations. An attacker can craft malicious HTTP requests to the vulnerable REST endpoint, injecting SQL payloads through the user parameter.

The UNION-based injection technique allows attackers to append additional SELECT statements to the original query, retrieving data from arbitrary database tables. This method is effective because the injected query results are returned within the normal API response, providing direct data exfiltration capabilities.

Attack prerequisites include:

Network access to the WordPress installation
Knowledge of the vulnerable endpoint path
Basic SQL injection skills to craft UNION-based payloads

No special privileges, user interaction, or specific system conditions are required for successful exploitation.

Detection Methods for CVE-2024-1512

Indicators of Compromise

Unusual or malformed requests to the /lms/stm-lms/order/items REST endpoint containing SQL syntax
Database query logs showing UNION SELECT statements originating from the REST API
Unexpected data access patterns or bulk data retrieval through the LMS plugin endpoints
Web application firewall alerts for SQL injection patterns targeting WordPress REST routes

Detection Strategies

Deploy web application firewall (WAF) rules to detect and block SQL injection patterns in the user parameter
Monitor WordPress REST API access logs for suspicious requests to /lms/stm-lms/order/items
Implement database activity monitoring to identify anomalous query patterns including UNION operations
Configure intrusion detection systems to alert on common SQL injection payloads in HTTP traffic

Monitoring Recommendations

Enable verbose logging for WordPress REST API requests and review for injection attempts
Set up automated alerts for failed or unusual database queries originating from the LMS plugin
Monitor outbound network traffic for potential data exfiltration following exploitation
Regularly audit access to sensitive database tables containing user and payment information

How to Mitigate CVE-2024-1512

Immediate Actions Required

Update MasterStudy LMS WordPress Plugin to version 3.2.6 or later immediately
If immediate patching is not possible, temporarily disable the MasterStudy LMS plugin
Implement WAF rules to block SQL injection attempts targeting the vulnerable endpoint
Review database access logs for signs of prior exploitation

Patch Information

StylemixThemes has released a security update addressing this SQL Injection vulnerability. The fix is documented in the WordPress Plugin Changeset 3036794, which implements proper input sanitization and prepared statements for the affected query.

Organizations should update to version 3.2.6 or later through the WordPress plugin management interface. For detailed vulnerability information, refer to the Wordfence Vulnerability Report.

Workarounds

Restrict access to the WordPress REST API at the web server level for untrusted networks
Implement a web application firewall with SQL injection detection rules targeting the /lms/stm-lms/order/items endpoint
Use WordPress security plugins to add additional input validation layers
Consider implementing IP-based access controls for REST API endpoints if LMS functionality is only needed internally

bash

# Example Apache .htaccess rule to block access to vulnerable endpoint
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/wp-json/lms/stm-lms/order/items [NC]
    RewriteCond %{QUERY_STRING} user= [NC]
    RewriteRule .* - [F,L]
</IfModule>

CVE-2024-1512 Overview

Critical Impact
Unauthenticated attackers can extract sensitive data including user credentials, payment information, course content, and other confidential data from the WordPress database without any authentication requirements.

Affected Products

MasterStudy LMS WordPress Plugin versions up to and including 3.2.5
WordPress installations using the vulnerable MasterStudy LMS plugin
stylemixthemes masterstudy_lms

Discovery Timeline

2024-02-17 - CVE-2024-1512 published to NVD
2024-12-18 - Last updated in NVD database

Technical Details for CVE-2024-1512

Vulnerability Analysis

Root Cause

The root cause of this vulnerability lies in two fundamental security failures within the plugin's codebase:

Insufficient Input Escaping: The user parameter passed through the REST route is not properly sanitized or escaped before being incorporated into SQL queries. This allows special SQL characters and commands to pass through unfiltered.
Lack of Prepared Statements: The existing SQL query does not utilize WordPress's $wpdb->prepare() function or equivalent parameterized query mechanisms, which would otherwise prevent SQL injection by separating code from data.

The combination of these issues creates a direct path for attackers to manipulate database queries through the publicly accessible REST API endpoint.

Attack Vector

Attack prerequisites include:

Network access to the WordPress installation
Knowledge of the vulnerable endpoint path
Basic SQL injection skills to craft UNION-based payloads

No special privileges, user interaction, or specific system conditions are required for successful exploitation.

Detection Methods for CVE-2024-1512

Indicators of Compromise

Unusual or malformed requests to the /lms/stm-lms/order/items REST endpoint containing SQL syntax
Database query logs showing UNION SELECT statements originating from the REST API
Unexpected data access patterns or bulk data retrieval through the LMS plugin endpoints
Web application firewall alerts for SQL injection patterns targeting WordPress REST routes

Detection Strategies

Deploy web application firewall (WAF) rules to detect and block SQL injection patterns in the user parameter
Monitor WordPress REST API access logs for suspicious requests to /lms/stm-lms/order/items
Implement database activity monitoring to identify anomalous query patterns including UNION operations
Configure intrusion detection systems to alert on common SQL injection payloads in HTTP traffic

Monitoring Recommendations

Enable verbose logging for WordPress REST API requests and review for injection attempts
Set up automated alerts for failed or unusual database queries originating from the LMS plugin
Monitor outbound network traffic for potential data exfiltration following exploitation
Regularly audit access to sensitive database tables containing user and payment information

How to Mitigate CVE-2024-1512

Immediate Actions Required

Update MasterStudy LMS WordPress Plugin to version 3.2.6 or later immediately
If immediate patching is not possible, temporarily disable the MasterStudy LMS plugin
Implement WAF rules to block SQL injection attempts targeting the vulnerable endpoint
Review database access logs for signs of prior exploitation

Patch Information

Organizations should update to version 3.2.6 or later through the WordPress plugin management interface. For detailed vulnerability information, refer to the Wordfence Vulnerability Report.

Workarounds

Restrict access to the WordPress REST API at the web server level for untrusted networks
Implement a web application firewall with SQL injection detection rules targeting the /lms/stm-lms/order/items endpoint
Use WordPress security plugins to add additional input validation layers
Consider implementing IP-based access controls for REST API endpoints if LMS functionality is only needed internally

bash

# Example Apache .htaccess rule to block access to vulnerable endpoint
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/wp-json/lms/stm-lms/order/items [NC]
    RewriteCond %{QUERY_STRING} user= [NC]
    RewriteRule .* - [F,L]
</IfModule>

CVE-2024-1512: Masterstudy LMS SQLi Vulnerability

CVE-2024-1512 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-1512

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-1512

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-1512

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2024-1512: Masterstudy LMS SQLi Vulnerability

CVE-2024-1512 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-1512

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-1512

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-1512

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform