CVE-2023-3345
Published: 31 July 2023
Summary
CVE-2023-3345 is a medium-severity an unspecified weakness vulnerability in Themegrill Masteriyo. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The LMS by Masteriyo WordPress plugin before version 1.6.8 contains an authorization flaw in certain REST API endpoints. This affects the plugin's handling of student data access controls within WordPress environments running the LMS component.
Any authenticated student user can exploit the issue over the network without user interaction. Successful exploitation allows retrieval of email addresses belonging to other students, resulting in a confidentiality impact rated high under the supplied CVSS vector while leaving integrity and availability unaffected.
The referenced WPScan advisory at https://wpscan.com/vulnerability/0d07423e-98d2-43a3-824d-562747a3d65a documents the missing authorization checks and identifies the fixed release as 1.6.8.
EPSS for the CVE stands at a current and peak value of 0.6484 with no material upward movement after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-44013
Vulnerability details
The LMS by Masteriyo WordPress plugin before 1.6.8 does not have proper authorization in one some of its REST API endpoints, making it possible for any students to retrieve email addresses of other students
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.