The MasterStudy LMS WordPress Plugin allows a stored XSS flaw in the stm_lms_courses_grid_display shortcode. The plugin fails to sanitize or escape user‑supplied attributes, meaning an authenticated contributor can insert arbitrary JavaScript that is persisted. When a page containing the affected shortcode is viewed, the injected script runs in the context of the visitor’s session. Based on this behavior, it is inferred that an attacker could hijack sessions, deface the site, or deliver other malicious payloads, as these are typical outcomes of stored XSS.

WordPress sites that have the MasterStudy LMS WordPress Plugin – for Online Courses and Education installed, in any version up to and including 3.7.11. No specific patch version is indicated, so all installations of these versions are vulnerable until a newer plugin release is applied.

The CVSS score of 6.4 indicates moderate severity, and the EPSS score of less than 1 % signals a low probability of exploitation in the wild. The issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires a contributor‑level account or higher; no remote public access is needed. Once a malicious script is stored via the shortcode, any user who visits a page containing that shortcode will execute the script in their browser session. The likely impacts on confidentiality and integrity of site content are inferred from typical stored XSS effects, potentially including session hijacking, defacement, or malicious payload delivery, but the exact scope cannot be determined from the available data.