Unauthenticated access to the Masteriyo – LMS plugin permits a user to circumvent the payment gating mechanisms. This means an attacker can gain access to paid content or features without completing the necessary financial transaction, thereby undermining revenue streams and the integrity of the learning platform. The weakness maps to CWE‑862, a classic broken access control scenario.

WordPress installations that have the Masteriyo – LMS plugin version 2.1.5 or earlier are impacted. The plugin, developed by ThemeGrill, is distributed via the WordPress plugin repository and commonly integrated into educational or corporate WordPress sites. No other WordPress components are directly affected by this flaw.

The CVSS score of 7.5 classifies the issue as high severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability does not appear in CISA's KEV catalog, suggesting it is not a known, widely exploited issue. The likely attack vector requires no authentication, so any visitor to the site who can interact with the plugin’s API endpoints would potentially be able to exploit the break in access controls. In the absence of additional mitigations, the risk to sites is relatively of revenue and exposure of privileged content.