CVE-2025-64209 - Vulnerability Details

- WordPress Masterstudy theme < 4.8.122 - Broken Access Control vulnerability

Description

Missing Authorization vulnerability in StylemixThemes Masterstudy masterstudy allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masterstudy: from n/a through < 4.8.122.

Published: 2025-12-18

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The CVE details a missing authorization flaw in the Masterstudy WordPress theme by StylemixThemes that allows attackers to invoke functions that should be guarded by access control lists. Because the theme omits proper ACL enforcement, a user who can reach the vulnerable endpoints can read or modify data intended only for privileged users, potentially compromising the confidentiality, integrity, and availability of the site.

Affected Systems

All installations of the Masterstudy theme built by StylemixThemes that use a version earlier than 4.8.122 are affected. This includes every release from the theme’s initial distribution up through the 4.8.121 release, as the vulnerability is documented for all versions in that range.

Risk and Exploitability

The CVSS score of 7.5 places this vulnerability in the high‑severity range, while the EPSS score of less than 1 % indicates a low chance of exploitation at present. The issue is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via a web‑based request to administrative or API endpoints that lack proper role checks; an attacker would need to identify such an endpoint and send a crafted request, but the missing authorization removes the usual permission barriers.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

StylemixThemes

Masterstudy

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.8.122

No data.

Vendor	Product	Confidence	Versions
Stylemixthemes	Masterstudy Lms	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest update of the Masterstudy theme (4.8.122 or newer) to restore proper access control.
If immediate version upgrade is not possible, restrict access to the vulnerable administrative URLs by configuring firewall rules or .htaccess directives so that only trusted IPs or authenticated roles can reach them.
Audit the theme’s permission settings to ensure that only users with the required capabilities can execute protected functions, and disable or remove any unused administrative features that could expose sensitive operations.
Review custom code or plugins that interact with the Masterstudy theme to verify that they do not bypass the theme’s built‑in authorization logic.

Generated by OpenCVE AI on April 29, 2026 at 13:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00058.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/masterstudy/vulnerability/wordpress-masterstudy-theme-4-8-122-broken-access-control-vulnerability?_s_id=cve

History

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Theme/masterstudy/vulnerability/wordpress-masterstudy-theme-4-8-122-broken-access-control-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/Wordpress/Theme/masterstudy/vulnerability/wordpress-masterstudy-theme-4-8-122-broken-access-control-vulnerability?_s_id=cve

Fri, 19 Dec 2025 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Stylemixthemes Stylemixthemes masterstudy Lms Wordpress Wordpress wordpress
Vendors & Products		Stylemixthemes Stylemixthemes masterstudy Lms Wordpress Wordpress wordpress

Thu, 18 Dec 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 18 Dec 2025 07:45:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in StylemixThemes Masterstudy masterstudy allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masterstudy: from n/a through < 4.8.122.
Title		WordPress Masterstudy theme < 4.8.122 - Broken Access Control vulnerability
Weaknesses		CWE-862
References		https://vdp.patchstack.com/database/Wordpress/Theme/masterstudy/vulnerability/wordpress-masterstudy-theme-4-8-122-broken-access-control-vulnerability?_s_id=cve

Subscriptions

Stylemixthemes Masterstudy Lms

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-12-18T07:22:11.805Z

Updated: 2026-04-28T18:24:58.564Z

Reserved: 2025-10-29T03:07:57.235Z

Link: CVE-2025-64209

Vulnrichment

Updated: 2025-12-18T19:32:20.976Z

NVD

Status : Deferred

Published: 2025-12-18T08:16:11.273

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64209

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T13:15:11Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object