Impact
The Masteriyo - LMS plugin for WordPress contains an unauthenticated broken authentication flaw in versions 2.1.8 and earlier. Attackers can circumvent the login mechanism and obtain access to privileged areas of the site without credentials. This weakness allows an adversary to potentially modify course content, view student data, or perform other administrative actions, directly impacting the confidentiality, integrity, and availability of the learning platform.
Affected Systems
The vulnerable component is the Masteriyo – LMS plugin developed by ThemeGrill. Any WordPress site running Masteriyo version 2.1.8 or older is subject to this flaw. An update to at least version 2.1.9 removes the vulnerability.
Risk and Exploitability
The CVSS score of 6.5 indicates medium severity. EPSS < 1% suggests the probability of exploitation is low, and the weakness is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the public authentication interface of the plugin, where attackers can submit crafted requests to gain unauthorized access. The absence of additional conditions in the report implies the exploit can be performed without elevated privileges or special tooling.
OpenCVE Enrichment