CVE-2023-4278
Published: 11 September 2023
Summary
CVE-2023-4278 is a high-severity an unspecified weakness vulnerability in Stylemixthemes Masterstudy Lms. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The MasterStudy LMS WordPress plugin before version 3.0.18 contains a missing authorization check during user registration that permits any unauthenticated visitor to create an account with the instructor role. The affected component is the registration workflow in this learning-management-system plugin for WordPress, which subsequently grants the newly created account the ability to publish courses and posts.
An attacker can exploit the flaw over the network without authentication or user interaction, achieving high-integrity impact by adding arbitrary course content or posts to the site. The CVSS 3.1 score of 7.5 reflects the combination of network accessibility, low attack complexity, and absence of required privileges.
Public references on WPScan and Packet Storm document the issue and include proof-of-concept material showing account creation, but do not detail additional mitigations beyond upgrading to 3.0.18 or later. The EPSS score has remained near 0.21–0.22 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-54149
Vulnerability details
The MasterStudy LMS WordPress Plugin WordPress plugin before 3.0.18 does not have proper checks in place during registration allowing anyone to register on the site as an instructor. They can then add courses and/or posts.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.