PT-2026-28184 · WordPress · Masteriyo Lms Plugin
Hunter Jensen
·
Published
2026-03-26
·
Updated
2026-03-26
·
CVE-2026-4484
CVSS v3.1
9.8
Critical
| AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Masteriyo LMS plugin for WordPress versions prior to 2.1.7
Description
The Masteriyo LMS plugin for WordPress is susceptible to a privilege escalation issue. An authenticated attacker with Student-level access or higher can elevate their privileges to that of an administrator. This is possible due to the plugin allowing a user to update their user role through the
InstructorsController::prepare object for database function. The vulnerable API endpoint is not explicitly mentioned. The vulnerable parameter is not explicitly mentioned.Recommendations
Update the Masteriyo LMS plugin to version 2.1.7 or later.
Fix
LPE
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Masteriyo Lms Plugin