CVE-2026-4817

Name of the Vulnerable Software and Affected Versions MasterStudy LMS WordPress Plugin for Online Courses and Education versions prior to 3.7.26

Description An issue exists where authenticated attackers with subscriber-level access and above can perform time-based blind SQL injection. This occurs via the 'order' and 'orderby' parameters in the '/lms/stm-lms/order/items' REST API endpoint. The flaw stems from insufficient input sanitization and a design error in the custom Query builder class that allows unquoted SQL injection in ORDER BY clauses. Specifically, when the Query builder detects parentheses in the sort by parameter, it treats the value as a SQL function and concatenates it directly into the ORDER BY clause without quoting. Although esc sql() is used, it fails to prevent injection when values are not wrapped in quotes. This allows for the extraction of sensitive database information, such as user credentials and session tokens.

Recommendations Update to a version newer than 3.7.25. As a temporary workaround, restrict access to the '/lms/stm-lms/order/items' REST API endpoint or limit the use of the order and orderby parameters.