CVE-2026-5167

Name of the Vulnerable Software and Affected Versions Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress versions up to and including 2.1.7

Description The Masteriyo LMS plugin is affected by an authorization bypass issue. Insufficient webhook signature verification in the handle webhook() function allows attackers to send fake Stripe webhook events with arbitrary order id values in the metadata. This can lead to marking any order as completed without payment and gaining unauthorized access to paid course content. The webhook endpoint processes unauthenticated requests because the webhook secret defaults to an empty string, and signature verification is only performed if both the webhook secret setting is configured and the HTTP STRIPE SIGNATURE header is present.

Recommendations Update to a version beyond 2.1.7.