Description
Unauthenticated Broken Authentication in Masteriyo - LMS <= 2.1.8 versions.
Published: 2026-06-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Masteriyo - LMS plugin for WordPress contains an unauthenticated broken authentication flaw in versions 2.1.8 and earlier. Attackers can circumvent the login mechanism and obtain access to privileged areas of the site without credentials. This weakness allows an adversary to potentially modify course content, view student data, or perform other administrative actions, directly impacting the confidentiality, integrity, and availability of the learning platform.

Affected Systems

The vulnerable component is the Masteriyo – LMS plugin developed by ThemeGrill. Any WordPress site running Masteriyo version 2.1.8 or older is subject to this flaw. An update to at least version 2.1.9 removes the vulnerability.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. EPSS < 1% suggests the probability of exploitation is low, and the weakness is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the public authentication interface of the plugin, where attackers can submit crafted requests to gain unauthorized access. The absence of additional conditions in the report implies the exploit can be performed without elevated privileges or special tooling.

Generated by OpenCVE AI on June 18, 2026 at 00:41 UTC.

Remediation

Vendor Solution

Update the WordPress Masteriyo - LMS Plugin to the latest available version (at least 2.1.9).


OpenCVE Recommended Actions

  • Update the Masteriyo – LMS plugin to version 2.1.9 or later as provided by ThemeGrill
  • Enforce strong, unique passwords for all WordPress administrative accounts
  • Enable multi‑factor authentication for the WordPress admin interface to add an extra barrier against credential‑based attacks

Generated by OpenCVE AI on June 18, 2026 at 00:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Themegrill
Themegrill masteriyo
Wordpress
Wordpress wordpress
Vendors & Products Themegrill
Themegrill masteriyo
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Authentication in Masteriyo - LMS <= 2.1.8 versions.
Title WordPress Masteriyo - LMS plugin <= 2.1.8 - Broken Authentication vulnerability
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


Subscriptions

Themegrill Masteriyo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:23:35.285Z

Reserved: 2026-04-29T09:05:30.886Z

Link: CVE-2026-42743

cve-icon Vulnrichment

Updated: 2026-06-16T01:23:30.797Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:57.117

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-42743

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:15:02Z

Weaknesses
  • CWE-347

    Improper Verification of Cryptographic Signature