CVE-2023-3345 is a newly discovered vulnerability in the Learning Management System (LMS) by Masteriyo WordPress plugin. Versions before 1.6.8 of the plugin are affected by this vulnerability, which could potentially lead to sensitive user information leakage. Specifically, this security flaw allows unauthorized users to retrieve other users' email addresses through the plugin's REST API endpoints. In this post, we will discuss the details of this vulnerability, its impact, and how it can be mitigated and fixed.

Vulnerability Details

The LMS by Masteriyo WordPress plugin is designed to facilitate the creation and management of online learning platforms on WordPress-powered websites. However, it was discovered that the plugin does not adequately safeguard sensitive information, such as users' email addresses.

Attackers could exploit this vulnerability to access and leak the email addresses of other users on the platform. This vulnerability exists due to the insecure design of the plugin's REST API endpoints.

Here's a code snippet that demonstrates one of the vulnerable REST API endpoints

add_action('rest_api_init', function () {
  register_rest_route( 'lms/v1', '/user/email/(?P<id>\d+)', array(
    'methods' => 'GET',
    'callback' => 'get_user_email'
  ));
});

function get_user_email($data) {
  $user = get_userdata($data['id']);

  if ($user === false) {
    return new WP_Error( 'user_not_found', 'User not found', array( 'status' => 404 ));
  }
  return array( 'email' => $user->user_email);
}

As seen in the code above, the 'get_user_email' function, which is registered as a callback for the '/user/email' route, retrieves the specified user's email address without proper access control or authorization checks. This means that any user with access to the LMS platform, such as students, can make a REST API call to obtain other user's email addresses.

Exploit Example

An attacker could exploit this vulnerability by sending a GET request to the following REST API endpoint:

https://example.com/wp-json/lms/v1/user/email/USER_ID

Replace "example.com" with the target WordPress site's domain and "USER_ID" with the WordPress user's ID whose email address is to be leaked.

Mitigations

To address this vulnerability, users are strongly advised to update the LMS by Masteriyo WordPress plugin to version 1.6.8 or later. The plugin's developers have released a patch in version 1.6.8, which resolves this security issue.

For those who are unable to upgrade immediately, a temporary workaround would be to disable the affected REST API endpoints by adding the following code snippet to the WordPress site's theme functions.php file or a custom plugin:

add_action('rest_api_init', function () {
  // Replace 'get_user_email' with the actual function name from the LMS plugin
  remove_action('rest_api_init', 'get_user_email');
}, PHP_INT_MAX);

Conclusion

CVE-2023-3345 poses a significant risk to users of the LMS by Masteriyo WordPress plugin due to the potential exposure of sensitive user information. It is crucial for website administrators to take immediate action to protect their users' privacy and prevent unauthorized access to email addresses.

- CVE-2023-3345 - NIST National Vulnerability Database
- LMS Plugin Security Advisory
- LMS Plugin Change Log

Stay informed about security vulnerabilities, updates, and best practices by regularly visiting reputable cybersecurity sources and keeping your WordPress plugins/themes up to date.

Timeline

Published on: 07/31/2023 10:15:00 UTC
Last modified on: 08/03/2023 20:30:00 UTC