Impact
The vulnerability is a subscriber cross‑site scripting flaw that allows malicious input to be executed as JavaScript in the victim’s browser. Based on the description, the attacker can inject a script via a subscription form or a similar input handling that is rendered without proper sanitization. The attacker does not gain server‑side privileges but can hijack user sessions, exfiltrate data, or perform malicious actions while the user is authenticated. This flaw maps to CWE‑79 and is rated medium severity with a CVSS score of 6.5.
Affected Systems
WordPress sites that have the MasterStudy LMS plugin from Stylemix in version 3.7.27 or earlier are affected. The plugin processes subscriber data and delivers that data to the frontend without adequate output encoding. The issue exists in all WordPress installations that have not upgraded past 3.7.27 and thus includes sites running any earlier release of the plugin.
Risk and Exploitability
The CVSS base score of 6.5 indicates moderate risk, and the EPSS score is not available, meaning there is no publicly reported exploitation probability at this time. The vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is via a web browser by submitting crafted input to the subscription form or related endpoint; an attacker with access to that interface can execute arbitrary JavaScript in the victim’s context. While the flaw does not provide remote code execution on the server, it enables session hijacking, data theft, or other malicious browser‑side actions. The straightforward exploitation path and lack of a public exploit suggest that the risk, while moderate, should not be underestimated.
OpenCVE Enrichment