Description
The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators.
Published: 2026-06-27
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Masteriyo LMS plugin for WordPress suffers from an authorization bypass that allows authenticated users with at least student-level privileges to modify the content of any course announcement, regardless of the original author. This flaw arises because the plugin fails to verify that the current user has proper rights before performing the edit operation. As a result, an attacker who can log in as a student can alter announcements created by instructors or administrators, potentially undermining the integrity of course communication.

Affected Systems

Masteriyo LMS – LMS Course Builder, Quizzes & Certificates, versions up to and including 2.2.1 on WordPress sites are affected. All users with student or higher roles can exploit this weakness.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user in the system, typically a student logged into the WordPress admin area. The flaw gives the attacker the ability to alter announcement content, which could be used to spread misinformation or disrupt learning, but it does not provide remote code execution or privilege escalation beyond the user role. Overall risk is moderate with limited immediate impact beyond content integrity.

Generated by OpenCVE AI on June 27, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Masteriyo LMS to the latest version where the authorization check has been implemented.
  • Verify that only instructor or administrator roles are allowed to edit course announcements by reviewing WordPress role permissions.
  • If an immediate update is not feasible, disable the Course Announcement feature or restrict it to administrators to prevent unauthorized changes.

Generated by OpenCVE AI on June 27, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators.
Title Masteriyo LMS <= 2.2.1 - Missing Authorization to Authenticated (Student+) Arbitrary Course Announcement Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-27T06:50:57.531Z

Reserved: 2026-06-09T11:55:57.904Z

Link: CVE-2026-11773

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T08:30:07Z

Weaknesses