Uncanny Groups for LearnDash (uncanny-learndash-group) is a third-party plugin for LearnDash LMS (sfwd-lms). The plugin lets Group Leaders (custom LearnDash role) manage users of their own LearnDash groups from the frontend.
Group Leaders can add existing users to their groups. Existing users are added automatically (i.e., they don’t have to accept any invites).
If the site admin has enabled a plugin feature called “Allow group leaders to edit users”, Group Leaders can also change their group members’ (Users’) names and email addresses. This feature is disabled by default.
A Group Leader can change an Admin’s email address and thereby gain admin access if the “Allow group leaders to edit users” setting is enabled. When exploited in conjunction with CVE-2024-8350, all Group Leaders can become Admins regardless of the “Allow group leaders to edit users” setting’s status.
- CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2 High)
- Software: Uncanny Groups for LearnDash (uncanny-learndash-group)
- Affected versions: <= 6.1.0.1
- Patched version: 6.1.1 (partially patched in 6.1.0.1)
- Developer: Uncanny Owl
- Researcher: Karl Emil Nikka, Nikka Systems
- Publicly published: 2024-09-17
- Last updated: 2024-09-17
The plugin does not check the role of existing group members (Users) when they are added to new groups. If “Allow group leaders to edit users” is enabled, a Group Leader can thereby gain admin privileges on the site by adding an existing Admin to its group. After adding an existing Admin to the group, the Group Leader just changes the Admin’s email address and resets the password.
Uncanny Owl published an insufficient patch (6.1.0.1) 2024-08-26. The vulnerability could no longer be exploited to become Admin (except in conjunction with CVE-2024-8350), but it could still be used for any Group Leader to become Editor (or lower). “Allow group leaders to edit users” had to be enabled.
Uncanny Owl published a full patch (6.1.1) 2024-09-11.
A Group Leader can change User’s contact details due to a missing permission check in the REST API. When exploited in conjunction with CVE-2024-8349, all Group Leaders can give themselves admin privileges.
- CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N (2.7 Low)
- Software: Uncanny Groups for LearnDash (uncanny-learndash-group)
- Affected versions: <= 6.1.0.1
- Patched version: 6.1.1 (partially patched in 6.1.0.1)
- Developer: Uncanny Owl
- Researcher: Karl Emil Nikka, Nikka Systems
- Publicly published: 2024-09-17
- Last updated: 2024-09-17
The plugin has a site-wide permission setting called “Allow group leaders to edit users”. When enabled, Group Leaders can change their group members’ (Users’) names and email addresses. This feature is disabled by default.
Leaving the feature disabled does however just prevent the setting from showing up on the frontend. A Group Leader can still send POST requests with the same actions. Since Group Leaders can add all users to their groups, Group Leaders can also change all Users’ names and email addresses.
https://example.com/wp-json/ulgm_management/v1/edit_user/?
action=edit-user&group-id={Group ID}&edit-user-id={user ID}&first_name=Lorem&last_name=Ipsum&email={attacker’s email address}
(The group ID and the user ID can be found as part of the page content.)
When exploited in conjunction with CVE-2024-8349, all Group Leaders can give themselves admin privileges.
Uncanny Owl published an insufficient patch (6.1.0.1) 2024-08-26. The vulnerability was partially patched but, yet again, only on the frontend. The setting “Allow group leaders to edit users” had be enabled.
If a Group Leader had an Admin as part of its group, the Group Leader could no longer display the modal for changing the Admin’s email address. However, the REST API still let the Group Leader do it.
A Group Leader could still become Admin by exploiting CVE-2024-8350 in conjunction with CVE-2024-8349. The Group Leader first had to add an Editor to its group and take over the Editor’s account. The Group Leader (now an Editor) could then add an Admin from LearnDash’s backend and change the Admin’s email address through Uncanny Groups’ REST API.
Uncanny Owl published a full patch (6.1.1) 2024-09-11.
- 2024-08-12 I reported CVE-2024-8349 to Uncanny Owl.
- 2024-08-12 Uncanny Owl confirmed receiving the report.
- 2024-08-15 I reported CVE-2024-8350 to Uncanny Owl.
- 2024-08-22 Uncanny Owl confirmed receiving the report.
- 2024-08-26 Uncanny Owl released Uncanny Groups for LearnDash 6.1.0.1 without sending me a pre-release version.
- 2024-08-30 I reported the insufficient patch to Uncanny Owl.
- 2024-08-30 Wordfence assigned the vulnerabilities their CVE IDs.
- 2024-09-04 I sent a reminder to Uncanny Owl, asking them to confirm receiving the report about the insufficient patch.
- 2024-09-05 Uncanny Owl confirmed receiving the report about the insufficient patch.
- 2024-09-11 Uncanny Owl sent me a pre-release version of the next release.
- 2024-09-11 I reviewed the pre-release version and suggested some additional minor security improvements.
- 2024-09-11 Uncanny Owl sent me a second pre-release version with the suggested improvements implemented.
- 2024-09-11 I confirmed that the two vulnerabilities were fully patched in the second pre-release version.
- 2024-09-11 Uncanny Owl published Uncanny Groups for LearnDash 6.1.1.
- 2024-09-17 I published this report.
- 2024-09-18 I corrected some minor spelling mistakes (thanks @labanskoller).
Uncanny Owl handled the vulnerability reports well and addressed the vulnerabilities within the 90-day responsible disclosure window.
Site admins should be aware that a Group Leader of Group A can add a User that's part of Group B without the User's consent. This can be a confidentiality and GDPR compliance issue if e.g., Group A and Group B are two different companies. It is however not a vulnerability since it is how the plugin is intended to work.
I submitted a feature request about addressing this confidentiality issue back in 2021. Uncanny Owl will now reconsider my feature request. Affected sites can in the meanwhile implement their own workarounds using the ulgm_gdpr_is_group_leader_allowed filter and custom frontend template overrides.