CVE-2024-37094 Overview
CVE-2024-37094 is a missing authorization vulnerability in the StylemixThemes MasterStudy LMS plugin for WordPress. The flaw stems from incorrectly configured access control security levels [CWE-862]. Affected versions include MasterStudy LMS up to and including 3.2.12. An unauthenticated remote attacker can reach protected functionality over the network without any user interaction. Successful exploitation impacts confidentiality, integrity, and availability of the WordPress site running the plugin.
Critical Impact
An unauthenticated attacker can abuse exposed plugin endpoints to access or modify learning management system data on affected WordPress installations.
Affected Products
- StylemixThemes MasterStudy LMS plugin for WordPress
- All versions from initial release through 3.2.12
- WordPress sites with the MasterStudy LMS Learning Management System plugin installed
Discovery Timeline
- 2024-11-01 - CVE-2024-37094 published to the National Vulnerability Database (NVD)
- 2025-01-22 - Last updated in NVD database
Technical Details for CVE-2024-37094
Vulnerability Analysis
The MasterStudy LMS plugin exposes functionality that should be restricted to authenticated or privileged users. The plugin fails to enforce capability or role checks on one or more handlers. This category of issue is classified under CWE-862: Missing Authorization.
WordPress plugins typically protect AJAX actions and REST routes with nonce validation and current_user_can() checks. When these checks are absent or rely solely on authentication state without verifying the user's role, any visitor can invoke privileged operations. The Patchstack advisory describes the flaw as broken access control affecting MasterStudy LMS through version 3.2.12.
Root Cause
The root cause is incorrectly configured access control on plugin endpoints. Authorization checks are either missing or implemented at the wrong security level. Functions that should require an administrator or instructor role are reachable by lower-privileged or unauthenticated requests.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends crafted HTTP requests to the vulnerable plugin endpoint on a WordPress site running MasterStudy LMS <= 3.2.12. Because the request bypasses authorization checks, the attacker triggers protected actions directly. The full technical write-up is available in the Patchstack Vulnerability Database Entry.
No public proof-of-concept exploit code is currently listed for this CVE. The vulnerability is described in prose in the vendor advisory rather than with technical exploitation snippets.
Detection Methods for CVE-2024-37094
Indicators of Compromise
- Unauthenticated POST requests to /wp-admin/admin-ajax.php containing MasterStudy LMS action parameters such as stm_lms_ prefixes
- Unexpected requests to MasterStudy REST routes under /wp-json/ from unauthenticated sessions
- Creation, modification, or deletion of LMS records, courses, or user roles without a corresponding administrator session
- Web server logs showing repeated access from a single IP to plugin endpoints prior to data changes
Detection Strategies
- Inventory all WordPress sites and identify installations running MasterStudy LMS versions <= 3.2.12
- Inspect access logs for HTTP requests targeting MasterStudy LMS AJAX actions and REST endpoints without valid authentication cookies
- Correlate unauthenticated plugin requests with subsequent database changes to LMS tables
- Deploy a Web Application Firewall (WAF) rule set that flags requests to known vulnerable MasterStudy LMS endpoints
Monitoring Recommendations
- Forward WordPress access logs and PHP error logs to a centralized logging platform for correlation and retention
- Alert on anomalous spikes in admin-ajax.php traffic that lacks authenticated session cookies
- Monitor WordPress wp_users, wp_usermeta, and MasterStudy LMS tables for unauthorized inserts and updates
- Track file integrity on the plugin directory wp-content/plugins/masterstudy-lms-learning-management-system/
How to Mitigate CVE-2024-37094
Immediate Actions Required
- Update the MasterStudy LMS plugin to a version released after 3.2.12 that addresses the access control flaw
- Audit user accounts, course content, and LMS configuration for unauthorized changes since the plugin was installed
- Restrict administrative access to WordPress to known IP ranges where feasible
- Review web server and application logs for prior exploitation attempts against vulnerable endpoints
Patch Information
StylemixThemes addressed the issue in a release subsequent to 3.2.12. Refer to the Patchstack Vulnerability Database Entry for the fixed version and vendor changelog. Apply the update through the WordPress plugin manager or by replacing the plugin files directly on the server.
Workarounds
- If patching is delayed, deactivate the MasterStudy LMS plugin until the update can be applied
- Place a WAF in front of WordPress and block unauthenticated requests to plugin AJAX and REST routes
- Limit access to /wp-admin/admin-ajax.php and /wp-json/ paths to authenticated sessions via reverse proxy rules
- Enforce least-privilege roles for all WordPress accounts and remove unused administrator accounts
# Example: block unauthenticated MasterStudy LMS AJAX actions at the web server (nginx)
location = /wp-admin/admin-ajax.php {
if ($arg_action ~* "^stm_lms_") {
if ($http_cookie !~* "wordpress_logged_in_") {
return 403;
}
}
include fastcgi_params;
fastcgi_pass php_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
