A privilege escalation vulnerability has been identified in the LifterLMS WordPress plugin, specifically in the WP LMS for eLearning, Online Courses, and Quizzes version ranges 3.5.3 prior to 3.41.2, 4.0.0 prior to 4.21.3, 5.0.0 prior to 5.10.0, 6.0.0 prior to 6.11.0, 7.0.0 prior to 7.8.7, 8.0.0 prior to 8.0.7, 9.0.0 prior to 9.0.7, and 9.1.0. The vulnerability arises because the plugin fails to properly validate a user's identity before allowing them to modify their own role through the REST API. This oversight enables authenticated attackers with student-level access or higher to escalate their privileges to administrator by sending a crafted REST API request that updates their roles. Additionally, another endpoint designed for instructors presents a similar attack vector.
Exploitation of this vulnerability allows authenticated users with student-level access to escalate their privileges to administrator.
To reproduce this vulnerability, an authenticated user with student-level access can send a REST API request to the LifterLMS users controller, specifically targeting the 'roles' parameter. The request should include a role assignment that escalates privileges, such as 'administrator'. The absence of proper permission checks in the 'update_item_permissions_check()' function will allow this role modification to be processed, thereby escalating the user's privileges.
Users are advised to update the LifterLMS plugin to version 9.1.1 or one of the other available patched versions.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
