Vulnerability Description
The WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpc_update_user_meta_option() function in all versions up to, and including, 3.2.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary user's metadata which can be levereged to block an administrator from accessing their site when wp_capabilities is set to 0.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old
- https://www.wordfence.com/threat-intel/vulnerabilities/id/760e999e-cac9-493f-973
FAQ
What is CVE-2024-12172?
CVE-2024-12172 is a vulnerability with a CVSS score of 7.5 (HIGH). The WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the w...
How severe is CVE-2024-12172?
CVE-2024-12172 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-12172?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.