Cyber Resilience

CVE-2024-3136

Critical

Published: 09 April 2024

Published
09 April 2024
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5421 98.1th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3136 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Stylemixthemes Masterstudy Lms. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The MasterStudy LMS plugin for WordPress is affected by a local file inclusion vulnerability in all versions through 3.3.3. The flaw resides in the handling of the "template" parameter within the plugin's helpers.php and templates.php components, enabling an attacker to supply an arbitrary file path that is subsequently included and executed by the PHP interpreter.

Unauthenticated remote attackers can exploit the issue over the network without any user interaction or credentials. Successful exploitation permits inclusion of attacker-controlled files, which can be leveraged to bypass access controls, read sensitive data, or obtain arbitrary code execution when combined with the ability to upload files such as images that contain embedded PHP.

Public references include Wordfence advisory data and WordPress plugin Trac changesets that document the corrective modifications applied to helpers.php and templates.php. Site administrators should apply the available plugin update that resolves the parameter handling weakness.

The associated EPSS score has remained stable at its peak value of 0.5421 with no indicated post-disclosure increase.

EU & UK References

Vulnerability details

The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server,…

more

allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

stylemixthemes
masterstudy lms
≤ 3.3.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References