Description
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
Published: 2026-01-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized content manipulation
Action: Apply patch
AI Analysis

Impact

The MasterStudy LMS WordPress plugin contains missing authorization checks on several REST API endpoints. This deficiency allows authenticated users with Subscriber-level access or higher to upload or delete arbitrary media files, modify or delete posts, and create or manage course templates. The vulnerability is an instance of CWE‑862, meaning that the system fails to verify that the caller has permission to perform the requested action, which compromises data integrity.

Affected Systems

The vulnerability affects the stylemix MasterStudy LMS WordPress plugin – for Online Courses and Education, specifically all releases up to and including version 3.7.6. Users running any of these versions are at risk of unauthorized modifications unless they upgrade to a fixed build.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, while the EPSS score of less than 1% suggests a low exploitation probability under current conditions. The vulnerability is not listed in the CISA KEV catalog. Attackers need to be authenticated, and the most likely attack vector is through the plugin’s REST API endpoints that are accessible to Subscriber or more privileged users. Exploitation would allow the attacker to upload or delete arbitrary media, remove or alter posts, and manage course templates, thereby undermining the integrity and availability of site content.

Generated by OpenCVE AI on April 22, 2026 at 20:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MasterStudy LMS WordPress plugin to the latest version that contains the missing authorization checks for its REST API endpoints.
  • If an immediate upgrade is not possible, temporarily block or remove the plugin’s REST API endpoints for non‑administrator roles by disabling the plugin or configuring a firewall rule that blocks requests to the /wp-json/masterstudy/v1/ URLs for Subscriber users.
  • Revoke Subscriber or higher roles from users who do not require the ability to create or delete media and posts, or replace them with lower‑privileged roles that lack media upload capabilities.

Generated by OpenCVE AI on April 22, 2026 at 20:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 06 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Stylemix
Stylemix masterstudy Lms Wordpress Plugin
Wordpress
Wordpress wordpress
Vendors & Products Stylemix
Stylemix masterstudy Lms Wordpress Plugin
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
Title MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.7.6 Missing Authorization to Authenticated (Subscriber+) Posts and Media Creation, Modification and Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Stylemix Masterstudy Lms Wordpress Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:51.744Z

Reserved: 2025-11-27T16:40:43.878Z

Link: CVE-2025-13766

cve-icon Vulnrichment

Updated: 2026-01-06T14:32:04.176Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T09:15:53.983

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13766

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:30:26Z

Weaknesses