Description
Subscriber Broken Access Control in MasterStudy LMS <= 3.7.30 versions.
Published: 2026-06-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a broken access control issue in the WordPress MasterStudy LMS plugin. Subscribers, normally limited to content consumption, can exploit the flaw to access administrative functions or configuration settings that they should not be able to reach. This allows an attacker to modify course data, alter user permissions, or potentially inject malicious code. The weakness is classified as CWE-862 and therefore can undermine both the integrity and confidentiality of the LMS contents.

Affected Systems

WordPress installations that host the MasterStudy LMS plugin version 3.7.30 or earlier. The affected product belongs to the Stylemix:MasterStudy LMS library. Sites with these versions are vulnerable; newer releases (3.7.31 onward) contain the fix.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, but the lack of an EPSS score means the exploitation probability is not quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers can potentially exploit the broken access control by authenticating as a subscribed user and requesting administrative endpoints that lack proper role checks. Because the flaw originates from an unchecked role verification, it can be leveraged without additional privileges or system compromises.

Generated by OpenCVE AI on June 26, 2026 at 16:54 UTC.

Remediation

Vendor Solution

Update the WordPress MasterStudy LMS Plugin to the latest available version (at least 3.7.31).

OpenCVE Recommended Actions

  • Update the MasterStudy LMS plugin to at least version 3.7.31 to eliminate the access control flaw.
  • Immediately review user roles and temporarily restrict subscribers from accessing any administrative areas until the update is applied.
  • Enable detailed access logs and monitor for unauthorized activity after the patch to ensure the vulnerability has been closed.

Generated by OpenCVE AI on June 26, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Subscriber Broken Access Control in MasterStudy LMS <= 3.7.30 versions.
Title WordPress MasterStudy LMS plugin <= 3.7.30 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:32:14.383Z

Reserved: 2026-06-25T08:03:17.055Z

Link: CVE-2026-57640

cve-icon Vulnrichment

Updated: 2026-06-26T15:32:11.504Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:00:04Z

Weaknesses