Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows PHP Local File Inclusion.This issue affects MasterStudy LMS: from n/a through <= 3.5.28.
Published: 2025-04-04
Score: 8.8 High
EPSS: 1.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This issue stems from an improper control of filenames used in PHP include/require statements, exposing a Local File Inclusion flaw. The vulnerability allows an attacker to supply arbitrary filenames, which the plugin then includes without validation. Although the description does not explicitly confirm RCE, including PHP files from the local filesystem can result in remote code execution or at least disclosure of sensitive information such as configuration files or passwords. The weakness is classified as CWE‑98.

Affected Systems

The vulnerability affects the Stylemix MasterStudy LMS WordPress plugin, specifically all releases from the initial version up through 3.5.28. No lower bound is stated, so any installation of these versions is susceptible.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity potential for exploitation. The EPSS score of 2% indicates a low but measurable likelihood that the vulnerability is currently being exploited in the wild, and it is not present in the CISA KEV catalog. The likely attack vector is remote, inferred from the nature of a WordPress plugin and the ability to manipulate request parameters to influence the include path. An attacker who can supply a crafted filename parameter in a request could trigger the inclusion of arbitrary local files, potentially leading to information disclosure or code execution if the included file is executable PHP code.

Generated by OpenCVE AI on May 13, 2026 at 15:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MasterStudy LMS plugin update.
  • If an update is not immediately available, remove or tightly restrict any query parameters that influence file inclusion, ensuring only whitelisted paths can be included.
  • Configure the web server to prevent web access to non‑public directories such as logs, backup files, and other sensitive locations to reduce the impact if a file inclusion is triggered.

Generated by OpenCVE AI on May 13, 2026 at 15:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9880 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Stylemix MasterStudy LMS allows PHP Local File Inclusion. This issue affects MasterStudy LMS: from n/a through 3.5.23.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Stylemix MasterStudy LMS allows PHP Local File Inclusion. This issue affects MasterStudy LMS: from n/a through 3.5.23. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows PHP Local File Inclusion.This issue affects MasterStudy LMS: from n/a through <= 3.5.28.
Title WordPress MasterStudy LMS plugin <= 3.5.23 - Local File Inclusion vulnerability WordPress MasterStudy LMS plugin <= 3.5.28 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 04 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Stylemix MasterStudy LMS allows PHP Local File Inclusion. This issue affects MasterStudy LMS: from n/a through 3.5.23.
Title WordPress MasterStudy LMS plugin <= 3.5.23 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:17.025Z

Reserved: 2025-04-04T10:00:42.738Z

Link: CVE-2025-32141

cve-icon Vulnrichment

Updated: 2025-04-04T19:53:54.338Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:22.223

Modified: 2026-04-23T15:28:38.033

Link: CVE-2025-32141

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T15:45:43Z

Weaknesses