Cyber Resilience

CVE-2023-3345

MediumPublic PoC

Published: 31 July 2023

Published
31 July 2023
Modified
10 June 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.6484 98.5th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-3345 is a medium-severity an unspecified weakness vulnerability in Themegrill Masteriyo. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The LMS by Masteriyo WordPress plugin before version 1.6.8 contains an authorization flaw in certain REST API endpoints. This affects the plugin's handling of student data access controls within WordPress environments running the LMS component.

Any authenticated student user can exploit the issue over the network without user interaction. Successful exploitation allows retrieval of email addresses belonging to other students, resulting in a confidentiality impact rated high under the supplied CVSS vector while leaving integrity and availability unaffected.

The referenced WPScan advisory at https://wpscan.com/vulnerability/0d07423e-98d2-43a3-824d-562747a3d65a documents the missing authorization checks and identifies the fixed release as 1.6.8.

EPSS for the CVE stands at a current and peak value of 0.6484 with no material upward movement after disclosure.

EU & UK References

Vulnerability details

The LMS by Masteriyo WordPress plugin before 1.6.8 does not have proper authorization in one some of its REST API endpoints, making it possible for any students to retrieve email addresses of other students

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

themegrill
masteriyo
≤ 1.6.8

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References