Description
The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based Blind SQL Injection via the 'order' and 'orderby' parameters in the /lms/stm-lms/order/items REST API endpoint in versions up to and including 3.7.25. This is due to insufficient input sanitization combined with a design flaw in the custom Query builder class that allows unquoted SQL injection in ORDER BY clauses. When the Query builder detects parentheses in the sort_by parameter, it treats the value as a SQL function and directly concatenates it into the ORDER BY clause without any quoting. While esc_sql() is applied to escape quotes and backslashes, this cannot prevent ORDER BY injection when the values themselves are not wrapped in quotes in the resulting SQL statement. This makes it possible for authenticated attackers, with subscriber-level access and above, to append arbitrary SQL queries via the ORDER BY clause to extract sensitive information from the database including user credentials, session tokens, and other confidential data through time-based blind SQL injection techniques.
Published: 2026-04-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leading to data exfiltration
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a time‑based blind SQL injection that occurs when the Order By clause of the /lms/stm-lms/order/items REST API endpoint is constructed from user input that includes parentheses. The WordPress plugin does not quote the value, so a crafted order_by parameter can inject arbitrary SQL. Authenticated users with subscriber role or higher can exploit this to retrieve confidential data such as user passwords, session tokens and other database contents through delayed responses. The injected SQL is executed with the privileges of the WordPress database user, giving the attacker data‑theft capabilities without compromising the server directly.

Affected Systems

MasterStudy LMS WordPress Plugin – for Online Courses and Education from stylemix is vulnerable in all releases up to and including 3.7.25. The attack surface is the /lms/stm-lms/order/items endpoint, which is reachable by any logged‑in user with subscriber or higher permissions.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. No EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog, but the need for authenticated access and the potential to leak credentials make the risk higher than the score alone suggests. The exploit path requires knowledge of the plugin's REST API and the ability to manipulate ORDER BY parameters. In a typical WordPress installation, an attacker can perform the injection after gaining login credentials or through social engineering to obtain subscriber-level access. Once successful, the attacker can perform time‑based blind SQL queries to enumerate and exfiltrate sensitive data. Due to the moderate CVSS coupled with real‑world access conditions, the overall risk is considered significant for any site using these plugin versions.

Generated by OpenCVE AI on April 17, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MasterStudy LMS plugin to version 3.7.26 or later, which removes the vulnerable code paths.
  • Apply the Wordfence patch available at https://ti.wordfence.io/vendors/patch/1789/download, which rewrites the Query builder to quote order_by values properly.
  • If an immediate update is not possible, restrict the /lms/stm-lms/order/items endpoint to administrators only or block the order_by parameter via a firewall or content security rule to prevent injection attempts.

Generated by OpenCVE AI on April 17, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/tags/3.7.17/_core/lms/classes/models/StmStatistics.php#L202 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/tags/3.7.17/_core/lms/classes/models/StmStatistics.php#L238 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/tags/3.7.17/_core/lms/classes/vendor/Query.php#L676 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/tags/3.7.17/_core/lms/route.php#L16 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/models/StmStatistics.php#L202 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/models/StmStatistics.php#L238 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/vendor/Query.php#L676 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/trunk/_core/lms/route.php#L16 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset/3506029/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/vendor/Query.php cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset?old_path=%2Fmasterstudy-lms-learning-management-system/tags/3.7.25&new_path=%2Fmasterstudy-lms-learning-management-system/tags/3.7.26 cve-icon cve-icon
https://ti.wordfence.io/vendors/patch/1789/download cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/7a51fe96-f3d3-46fe-9e3a-fb7c1bd17b05?source=cve cve-icon cve-icon
History

Fri, 17 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Stylemix
Stylemix masterstudy Lms Wordpress Plugin – For Online Courses And Education
Wordpress
Wordpress wordpress
Vendors & Products Stylemix
Stylemix masterstudy Lms Wordpress Plugin – For Online Courses And Education
Wordpress
Wordpress wordpress

Fri, 17 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based Blind SQL Injection via the 'order' and 'orderby' parameters in the /lms/stm-lms/order/items REST API endpoint in versions up to and including 3.7.25. This is due to insufficient input sanitization combined with a design flaw in the custom Query builder class that allows unquoted SQL injection in ORDER BY clauses. When the Query builder detects parentheses in the sort_by parameter, it treats the value as a SQL function and directly concatenates it into the ORDER BY clause without any quoting. While esc_sql() is applied to escape quotes and backslashes, this cannot prevent ORDER BY injection when the values themselves are not wrapped in quotes in the resulting SQL statement. This makes it possible for authenticated attackers, with subscriber-level access and above, to append arbitrary SQL queries via the ORDER BY clause to extract sensitive information from the database including user credentials, session tokens, and other confidential data through time-based blind SQL injection techniques.
Title MasterStudy LMS <= 3.7.25 - Authenticated (Subscriber+) Time-based Blind SQL Injection via 'order' and 'orderby' Parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Stylemix Masterstudy Lms Wordpress Plugin – For Online Courses And Education
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-17T18:39:48.201Z

Reserved: 2026-03-25T13:39:50.506Z

Link: CVE-2026-4817

cve-icon Vulnrichment

Updated: 2026-04-17T18:39:42.914Z

cve-icon NVD

Status : Received

Published: 2026-04-17T02:16:05.883

Modified: 2026-04-17T02:16:05.883

Link: CVE-2026-4817

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:30:08Z

Weaknesses