Description
Subscriber Cross Site Scripting (XSS) in MasterStudy LMS <= 3.7.27 versions.
Published: 2026-06-29
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a subscriber cross‑site scripting flaw that allows malicious input to be executed as JavaScript in the victim’s browser. Based on the description, the attacker can inject a script via a subscription form or a similar input handling that is rendered without proper sanitization. The attacker does not gain server‑side privileges but can hijack user sessions, exfiltrate data, or perform malicious actions while the user is authenticated. This flaw maps to CWE‑79 and is rated medium severity with a CVSS score of 6.5.

Affected Systems

WordPress sites that have the MasterStudy LMS plugin from Stylemix in version 3.7.27 or earlier are affected. The plugin processes subscriber data and delivers that data to the frontend without adequate output encoding. The issue exists in all WordPress installations that have not upgraded past 3.7.27 and thus includes sites running any earlier release of the plugin.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate risk, and the EPSS score is not available, meaning there is no publicly reported exploitation probability at this time. The vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is via a web browser by submitting crafted input to the subscription form or related endpoint; an attacker with access to that interface can execute arbitrary JavaScript in the victim’s context. While the flaw does not provide remote code execution on the server, it enables session hijacking, data theft, or other malicious browser‑side actions. The straightforward exploitation path and lack of a public exploit suggest that the risk, while moderate, should not be underestimated.

Generated by OpenCVE AI on June 29, 2026 at 16:51 UTC.

Remediation

Vendor Solution

Update the WordPress MasterStudy LMS Plugin to the latest available version (at least 3.7.28).


OpenCVE Recommended Actions

  • Update the MasterStudy LMS plugin to version 3.7.28 or later, which removes the XSS flaw.
  • If an immediate update is not possible, disable or restrict access to subscription forms or any user‑input areas that feed the plugin, effectively preventing malicious input from being processed.
  • Deploy a strict Content Security Policy header to restrict script execution on the site, reducing the impact of any remaining XSS vectors.

Generated by OpenCVE AI on June 29, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Stylemixthemes
Stylemixthemes masterstudy Lms
Wordpress
Wordpress wordpress
Vendors & Products Stylemixthemes
Stylemixthemes masterstudy Lms
Wordpress
Wordpress wordpress

Mon, 29 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Subscriber Cross Site Scripting (XSS) in MasterStudy LMS <= 3.7.27 versions.
Title WordPress MasterStudy LMS plugin <= 3.7.27 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Stylemixthemes Masterstudy Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-29T15:09:02.472Z

Reserved: 2026-06-24T12:45:08.530Z

Link: CVE-2026-57330

cve-icon Vulnrichment

Updated: 2026-06-29T15:08:56.718Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:04:29Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')