We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to user group add due to a missing capability check on the /wp-json/ulgm_management/v1/add_user/ REST API endpoint in all versions up to, and including, 6.1.0.1. This makes it possible for authenticated attackers, with group leader-level access and above, to add users to their group which ultimately allows them to leverage CVE-2024-8349 and gain admin access to the site.
Reserved 2024-08-30 | Published 2024-09-25 | Updated 2024-09-25 | Assigner Wordfence2024-08-15: | Vendor Notified |
2024-09-24: | Disclosed |
Karl Emil Nikka
www.wordfence.com/...-5f7d-4033-9a65-41b590b7d510?source=cve
github.com/karlemilnikka/CVE-2024-8349-and-CVE-2024-8350
Support options