Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy LMS: from n/a through <= 3.6.27.
Published: 2025-10-31
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements used in an SQL command allows an attacker to inject SQL commands into the MasterStudy LMS plugin. By exploiting this flaw, an attacker can read, modify, or delete sensitive data stored in the WordPress database, potentially exposing user information or compromising the entire site.

Affected Systems

The vulnerability exists in the Stylemix MasterStudy LMS WordPress plugin for all versions through 3.6.27. No specific sub‑version details are provided, so any installation using an affected version is at risk.

Risk and Exploitability

With a CVSS score of 7.6, the vulnerability is considered High. The EPSS score of less than 1% indicates a low current exploitation probability. The vulnerability is not listed in CISA KEV. The likely attack vector involves submitting crafted input to plugin forms or URLs, leading to blind SQL injection. Immediate patching is essential to prevent potential data compromise.

Generated by OpenCVE AI on April 29, 2026 at 20:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MasterStudy LMS plugin to version 3.6.28 or later; if a newer patch is available, install it promptly.
  • If updating is not immediately possible, restrict or remove public access to the plugin’s database‑query endpoints using firewall rules or URL‑based access controls.
  • Apply least‑privilege database permissions so that the database user associated with WordPress can only execute necessary queries and has no rights to modify schema or drop tables.

Generated by OpenCVE AI on April 29, 2026 at 20:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Stylemixthemes
Stylemixthemes masterstudy Lms
Wordpress
Wordpress wordpress
Vendors & Products Stylemixthemes
Stylemixthemes masterstudy Lms
Wordpress
Wordpress wordpress

Fri, 31 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 31 Oct 2025 11:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy LMS: from n/a through <= 3.6.27.
Title WordPress MasterStudy LMS plugin <= 3.6.27 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Stylemixthemes Masterstudy Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:14.541Z

Reserved: 2025-10-31T11:23:15.210Z

Link: CVE-2025-64366

cve-icon Vulnrichment

Updated: 2025-10-31T18:05:13.616Z

cve-icon NVD

Status : Deferred

Published: 2025-10-31T12:15:37.280

Modified: 2026-04-27T16:16:41.330

Link: CVE-2025-64366

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:30:19Z

Weaknesses