This vulnerability arises from improper privilege assignment within the Masteriyo – LMS plugin, enabling users with lower or default access to elevate their privileges. The flaw is classified as a Privilege Management Error (CWE‑266). An attacker who can interact with the plugin’s administrative interface could potentially gain administrator‑level rights, leading to full control over the WordPress site, including data theft, modification, or site takeover. The official description confirms that the flaw permits privilege escalation.

The affected product is the WordPress Masteriyo – LMS plugin developed by ThemeGrill. All released plugin versions up to version 2.2.0 are impacted; the vulnerability list states the issue applies from n/a through 2.2.0. Any WordPress site running an affected Masteriyo installation must be assessed, especially those that expose the administrative area or allow user role management.

The CVSS score of 8.8 signifies a high severity risk, and the EPSS score of 0.00245 indicates a very low probability of exploitation. The lack of a KEV listing suggests there have not been widespread public exploits yet. The likely attack vector is from an authenticated user with limited access who leverages the plugin’s privilege assignment flaw to gain elevated rights. Once the vulnerability is exploited, an attacker can achieve complete administrative control over the WordPress site, potentially leading to data compromise, site defacement, or further lateral movement within the hosting environment.