CVE-2022-0441: 
WordPress vulnerability analysis and mitigation

CVE-2022-0441 affects the MasterStudy LMS WordPress plugin versions before 2.7.6. The vulnerability was discovered and disclosed on February 1, 2022, and allows unauthenticated users to register as an administrator due to improper parameter validation during the account registration process (WPScan).

The vulnerability exists in the user registration functionality where the plugin fails to properly validate parameters during account creation. An attacker can exploit this by sending a specially crafted POST request to /wp-admin/admin-ajax.php with the action=stmlmsregister parameter, including administrator capabilities in the profiledefaultfieldsforregister parameter. The vulnerability has been assigned a CVSS score of 10.0 (Critical) and is classified under CWE-269 (WPScan).

The successful exploitation of this vulnerability allows unauthenticated attackers to create administrator accounts on affected WordPress installations. This gives attackers full administrative access to the WordPress site, enabling them to modify content, install plugins, manage users, and potentially compromise the entire website (WPScan).

The vulnerability has been patched in MasterStudy LMS version 2.7.6. Site administrators are strongly advised to update to this version or later to protect against this vulnerability (WPScan).