CVE-2024-3136
Published: 09 April 2024
Summary
CVE-2024-3136 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Stylemixthemes Masterstudy Lms. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The MasterStudy LMS plugin for WordPress is affected by a local file inclusion vulnerability in all versions through 3.3.3. The flaw resides in the handling of the "template" parameter within the plugin's helpers.php and templates.php components, enabling an attacker to supply an arbitrary file path that is subsequently included and executed by the PHP interpreter.
Unauthenticated remote attackers can exploit the issue over the network without any user interaction or credentials. Successful exploitation permits inclusion of attacker-controlled files, which can be leveraged to bypass access controls, read sensitive data, or obtain arbitrary code execution when combined with the ability to upload files such as images that contain embedded PHP.
Public references include Wordfence advisory data and WordPress plugin Trac changesets that document the corrective modifications applied to helpers.php and templates.php. Site administrators should apply the available plugin update that resolves the parameter handling weakness.
The associated EPSS score has remained stable at its peak value of 0.5421 with no indicated post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-31736
Vulnerability details
The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server,…
more
allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.