The MasterStudy LMS Pro plugin for WordPress contains a missing authorization flaw that lets attackers delete content. The vulnerability stems from improperly constrained ACL checks, allowing unauthorized users to trigger deletion operations. An attacker who can reach the protected function can remove posts, pages, or other managed data, compromising data integrity and availability.

StylemixThemes’ MasterStudy LMS Pro plugin, available for WordPress, is affected. Versions from the initial release through any version prior to 4.7.16 are vulnerable. The issue applies to installations on WordPress sites running these plugin versions.

The CVSS score of 7.5 indicates a high risk level, but the EPSS score of less than 1% suggests that attacks are currently rare. The vulnerability is not listed in the CISA KEV catalog, but the lack of an exploit probability does not preclude exploitation. The likely attack vector is from within a WordPress installation, requiring access to the plugin’s deletion interface, which may be reachable by users with sufficient privileges or through compromised credentials. An attacker with such access could delete arbitrary content without generating any alerts, resulting in loss of data and potential service disruption.