Description
The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records.
Published: 2026-06-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Masteriyo LMS WordPress plugin disables authorization checks on a course-progress REST API controller. Unauthenticated users can read the course-progress information of any user and can permanently delete that data, exposing confidential learning records and destroying integrity of the system. This vulnerability is a classic improper access control issue (CWE-284).

Affected Systems

All installations of the Masteriyo LMS plugin for WordPress with a version older than 2.2.1 are affected; no specific vendor or additional product versions are listed.

Risk and Exploitability

The vulnerability can be triggered simply by sending HTTP requests to the exposed REST endpoint, without any authentication. Because it allows data read and deletion, an attacker could harvest private progress metrics or sabotage users’ learning paths. No EPSS score is available and the issue is not included in CISA’s KEV catalog, but the lack of authentication suggests the attack surface is broadly accessible. The risk is significant for sites that rely on Masteriyo LMS to track student progress.

Generated by OpenCVE AI on June 25, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Masteriyo LMS to version 2.2.1 or later, which implements proper access controls on the course-progress REST API.
  • Configure a firewall rule or use a plugin to block unauthenticated requests to the affected REST endpoint until the patch is applied.
  • Perform a comprehensive review of all WordPress REST endpoints to identify and remediate any missing authorization checks, ensuring similar vulnerabilities are addressed.

Generated by OpenCVE AI on June 25, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Masteriyo
Masteriyo masteriyo
Wordpress
Wordpress wordpress
Vendors & Products Masteriyo
Masteriyo masteriyo
Wordpress
Wordpress wordpress

Thu, 25 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Thu, 25 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records.
Title Masteriyo LMS < 2.2.1 - Unauthenticated Course Progress Disclosure and Deletion
References

Subscriptions

Masteriyo Masteriyo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-25T13:05:28.462Z

Reserved: 2026-06-04T08:23:08.491Z

Link: CVE-2026-10824

cve-icon Vulnrichment

Updated: 2026-06-25T13:05:23.743Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses