CVE-2024-2409 Overview
The MasterStudy LMS plugin for WordPress contains a critical Privilege Escalation vulnerability affecting all versions up to and including 3.3.1. The vulnerability exists due to insufficient validation checks within the _register_user() function, which is called by the wp_ajax_nopriv_stm_lms_register AJAX action. This flaw allows unauthenticated attackers to register a user account with administrator-level privileges when MasterStudy LMS Pro is installed and the LMS Forms Editor add-on is enabled.
Critical Impact
Unauthenticated attackers can gain full administrator access to WordPress sites running vulnerable versions of MasterStudy LMS, potentially leading to complete site compromise, data theft, and malware injection.
Affected Products
- MasterStudy LMS plugin for WordPress versions up to and including 3.3.1
- Configurations with MasterStudy LMS Pro installed
- Sites with the LMS Forms Editor add-on enabled
Discovery Timeline
- 2024-03-29 - CVE-2024-2409 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2024-2409
Vulnerability Analysis
This vulnerability is classified as a Privilege Escalation flaw stemming from improper input validation in the user registration process. The vulnerable _register_user() function fails to properly validate user-supplied input when processing registration requests through the wp_ajax_nopriv_stm_lms_register AJAX action.
Because this AJAX action uses the nopriv hook variant, it is accessible to unauthenticated users without requiring any prior authentication. When the LMS Forms Editor add-on is enabled alongside MasterStudy LMS Pro, the registration function does not adequately restrict which user role can be assigned during the registration process, allowing attackers to specify administrator privileges.
Root Cause
The root cause of this vulnerability is insufficient validation within the _register_user() function. The function fails to enforce proper restrictions on the user role parameter during the registration process. When processing registration requests via the AJAX endpoint, the code does not validate whether the requested role is appropriate for public registration, allowing arbitrary role assignment including administrator-level access.
Attack Vector
The attack is network-based and requires no authentication, making it highly accessible to remote attackers. An attacker can craft a malicious POST request to the WordPress AJAX handler targeting the stm_lms_register action. By manipulating the registration parameters, particularly the user role field, an attacker can create a new user account with administrator privileges.
The attack requires the following conditions to be met:
- MasterStudy LMS plugin version 3.3.1 or earlier must be installed
- MasterStudy LMS Pro must be active
- The LMS Forms Editor add-on must be enabled
The vulnerability can be exploited by sending a specially crafted HTTP POST request to the /wp-admin/admin-ajax.php endpoint with the action parameter set to stm_lms_register along with manipulated user role data. See the Wordfence Vulnerability Report for additional technical details.
Detection Methods for CVE-2024-2409
Indicators of Compromise
- Unexpected administrator accounts appearing in the WordPress user database
- User registration events occurring through the stm_lms_register AJAX action with administrator role assignments
- Suspicious POST requests to /wp-admin/admin-ajax.php containing the stm_lms_register action parameter
- Unauthorized changes to site settings, themes, or plugins following unexplained admin account creation
Detection Strategies
- Monitor WordPress user creation logs for new accounts with administrator or elevated privileges
- Implement Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests targeting the stm_lms_register action with role escalation attempts
- Review HTTP access logs for unusual POST requests to the admin-ajax.php endpoint
- Audit existing administrator accounts and verify their legitimacy
Monitoring Recommendations
- Enable comprehensive logging for WordPress user registration events
- Configure alerts for any new administrator account creation
- Implement real-time monitoring of AJAX endpoint activity
- Regularly audit user accounts and privileges within the WordPress dashboard
How to Mitigate CVE-2024-2409
Immediate Actions Required
- Update MasterStudy LMS plugin to version 3.3.2 or later immediately
- Audit all existing WordPress administrator accounts for unauthorized entries
- Review user activity logs for signs of exploitation
- Consider temporarily disabling the LMS Forms Editor add-on until patching is complete
Patch Information
StyleMixthemes has released version 3.3.2 of the MasterStudy LMS plugin to address this vulnerability. The patch implements proper validation checks in the user registration function to prevent unauthorized role assignment. Details of the fix can be reviewed in the WordPress Trac Changeset 3059676 and the StyleMixthemes Changelog.
Workarounds
- Temporarily disable the LMS Forms Editor add-on if immediate patching is not possible
- Implement WAF rules to block POST requests to admin-ajax.php containing the stm_lms_register action with suspicious role parameters
- Restrict access to the WordPress admin-ajax.php endpoint using server-level access controls where feasible
- Enable WordPress security plugins that can monitor and block suspicious user registration activity
# Example .htaccess rule to add additional logging for admin-ajax.php requests
# Place in WordPress root directory
SetEnvIf Request_URI "admin-ajax\.php" log_ajax
CustomLog /var/log/apache2/ajax_access.log combined env=log_ajax
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
