PT-2026-1424 · WordPress · Wordpress+1
Thinnawarth Mathuros
·
Published
2026-01-06
·
Updated
2026-01-06
·
CVE-2025-13766
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
MasterStudy LMS WordPress Plugin versions through 3.7.6
Description
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is susceptible to unauthorized modification and deletion of data. This is due to a lack of appropriate capability checks on several REST API endpoints. Authenticated attackers possessing Subscriber-level access or higher can exploit this to perform actions such as uploading or deleting arbitrary media files, modifying or deleting posts, and creating or managing course templates.
Recommendations
Update to a version beyond 3.7.6.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Masterstudy Lms
Wordpress