CVE-2024-8349: 
WordPress vulnerability analysis and mitigation

The Uncanny Groups for LearnDash plugin for WordPress (versions up to and including 6.1.0.1) contains a privilege escalation vulnerability identified as CVE-2024-8349. The vulnerability stems from improper restrictions on what users a group leader can edit, allowing authenticated attackers with group leader-level access to modify admin account email addresses, potentially leading to unauthorized admin account access (NVD, GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-862 (Missing Authorization) and affects all versions of the plugin up to 6.1.0.1. The vulnerability exists due to insufficient role checking when group leaders edit user information, particularly email addresses of admin accounts (NVD).

When successfully exploited, this vulnerability allows authenticated attackers with group leader-level access to modify admin account email addresses. This modification can lead to complete administrative access to the WordPress site, effectively compromising the entire system's security (GitHub Advisory).

The vulnerability has been patched in version 6.1.1 of the Uncanny Groups for LearnDash plugin. Site administrators are strongly advised to update to this version immediately. A partial patch was initially released in version 6.1.0.1, but it was found to be insufficient in fully addressing the security issue (GitHub Advisory).