Description
The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Order Completion
Action: Patch
AI Analysis

Impact

The Masteriyo LMS plugin for WordPress processes Stripe webhook events without proper signature verification when the webhook_secret setting is empty. The handler accepts any POST request, and if a HTTP_STRIPE_SIGNATURE header is present it only verifies the signature if a secret is configured. Because the default secret value is an empty string, an unauthenticated attacker can craft a JSON payload with any order_id in the metadata and have the plugin record that order as completed, effectively bypassing payment and granting access to paid course content. This flaw represents an authorization bypass (CWE‑639).

Affected Systems

All WordPress installations running Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin up to and including version 2.1.7 that have the Stripe addon enabled are impacted. The vulnerability resides in the StripeAddon.php file handling webhooks and affects any site that exposes this endpoint.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS data is unavailable and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector likely involves sending an unauthenticated HTTP POST to the Stripe webhook URL from the public internet with a forged JSON payload containing a desired order_id. Successful exploitation allows an attacker to mark any order as completed without payment and gain unauthorized access to course materials.

Generated by OpenCVE AI on April 8, 2026 at 09:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the plugin vendor’s website for a newer release that addresses the webhook verification issue and upgrade to that version if available.
  • If a patch is not yet released, configure a non‑empty webhook_secret value in the Stripe addon settings and enforce the presence of the HTTP_STRIPE_SIGNATURE header for all webhook requests.
  • If the Stripe webhook endpoint is not required for business operations, disable or block that endpoint so it is no longer publicly reachable.
  • Monitor order completion logs for unexpected entries that may indicate unauthorized activity.
  • Implement additional access controls to ensure that only users who have paid and recorded a completed order can access paid courses.

Generated by OpenCVE AI on April 8, 2026 at 09:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Masteriyo
Masteriyo masteriyo Lms – Online Course Builder For Elearning, Lms & Education
Wordpress
Wordpress wordpress
Vendors & Products Masteriyo
Masteriyo masteriyo Lms – Online Course Builder For Elearning, Lms & Education
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content.
Title Masteriyo LMS <= 2.1.7 - Unauthenticated Authorization Bypass to Arbitrary Order Completion via Stripe Webhook Endpoint
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Masteriyo Masteriyo Lms – Online Course Builder For Elearning, Lms & Education
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:31.736Z

Reserved: 2026-03-30T15:04:11.752Z

Link: CVE-2026-5167

cve-icon Vulnrichment

Updated: 2026-04-08T14:48:02.688Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T07:16:22.853

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-5167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:38Z

Weaknesses