CVE-2026-5167

The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook secret setting is configured AND the HTTP STRIPE SIGNATURE header is present. Since webhook secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content.