CVE-2023-3345

2023-07-3110:15:10

[email protected]

web.nvd.nist.gov

2438

lms

masteriyo

wordpress

plugin

cve-2023-3345

information security

vulnerability

rest api

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

7 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

74.0%

JSON

The LMS by Masteriyo WordPress plugin before 1.6.8 does not properly safeguards sensitive user information, like other user’s email addresses, making it possible for any students to leak them via some of the plugin’s REST API endpoints.

Affected configurations

Vulners

NVD

Node

masteriyomasteriyoRange<1.6.8

VendorProductVersionCPE
masteriyomasteriyo*cpe:2.3:a:masteriyo:masteriyo:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
masteriyo	masteriyo	*	cpe:2.3:a:masteriyo:masteriyo::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "LMS by Masteriyo",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "1.6.8"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]