CVE-2024-8349

HIGH

Uncanny Groups for LearnDash <6.1.0.1 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-8349. PoCs published by karlemilnikka.

AI-analyzed exploit summary This repository contains a detailed writeup of CVE-2024-8349 and CVE-2024-8350, which are privilege escalation vulnerabilities in the Uncanny Groups for LearnDash WordPress plugin. The vulnerabilities allow Group Leaders to escalate privileges to Admin by exploiting missing authorization checks and improper role validation.

Description

The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0.1. This is due to the plugin not properly restricting what users a group leader can edit. This makes it possible for authenticated attackers, with group leader-level access and above, to change admin account email addresses which can subsequently lead to admin account access.

Exploits (1)

nomisec WRITEUP

by karlemilnikka · poc

https://github.com/karlemilnikka/CVE-2024-8349-and-CVE-2024-8350

View Code ZIP pw:eip

This repository contains a detailed writeup of CVE-2024-8349 and CVE-2024-8350, which are privilege escalation vulnerabilities in the Uncanny Groups for LearnDash WordPress plugin. The vulnerabilities allow Group Leaders to escalate privileges to Admin by exploiting missing authorization checks and improper role validation.

Classification

Writeup 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Uncanny Groups for LearnDash (uncanny-learndash-group) <= 6.1.0.1

Auth required

Prerequisites: Group Leader role in WordPress · Plugin setting 'Allow group leaders to edit users' enabled (for CVE-2024-8349)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory

https://github.com/karlemilnikka/CVE-2024-8349-and-CVE-2024-8350

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/64cf0ae2-8d66-40d1-8bb6-0cab1dafab0d?source=cve

Scores

CVSS v3 7.2

EPSS 0.0113

EPSS Percentile 62.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-862

Status published

Products (2)

Uncanny Owl/Uncanny Groups for LearnDash < 6.1.0.1

uncannyowl/uncanny_groups_for_learndash < 6.1.1

Published Sep 25, 2024

Tracked Since Feb 18, 2026