Huge security breach

  • Resolved flashaha

    (@flashaha)


    1 month, 3 weeks ago

    We were recently a victim of a serious security breach, via Masteriyo. The plugin allowed a user to update the user role through the ‘InstructorsController::prepare_object_for_database’ function. This makes it possible for authenticated attackers, with Student-level access and above, to elevate their privileges to that of an administrator.
    This breach has since been patched in the latest software version.

    Thankfully, no money was redirected, so my client is not affected. However, the hacker became an Owner of the google search console for this website. The website traffic has since had “floods” a week apart, which we have no explanation for.

    If anybody else has been affected by this, please let us know what the hackers did and what you did to resolve it. We are going to roll back to a 15-day backup and then update the plugin. However, I suspect that won’t be the end of it.

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Plugin Support Amrit Kumar Shrestha

    (@shresthauzwal)

    1 month, 3 weeks ago

    Hello @flashaha,

    Thank you for raising your concern. We completely understand how important security is, and we take such reports very seriously.

    After reviewing the mentioned topic, we would like to clarify that the issue has already been fixed in the latest version of Masteriyo. We strongly recommend updating to the latest version to ensure your site remains secure and up to date.

    Additionally, the reported issue does not have the capability to grant ownership of your Google Search Console account. Search Console ownership is managed through Google’s own verification methods (such as DNS records, HTML files, or meta tags) and is not controlled by Masteriyo.

    Regarding the unusual traffic spikes (“floods”), this is most likely caused by bot or automated traffic, which is common and not necessarily related to a plugin vulnerability.

    Recommended steps:

    • Update Masteriyo to the latest version
    • Review your Google Search Console ownership settings and remove any unknown users
    • Check your DNS and verification methods for any unauthorized changes
    • Monitor and block bot traffic using security tools or hosting logs
    • Review user roles, permissions, and possible plugin conflicts

    We are continuously improving our security practices and follow WordPress standards to ensure user data remains protected.

    Best Regards!

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.