CVE-2025-13766
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2Description
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
Analysis
for Online Courses and Education versions up to 3.7.6. is affected by missing authorization (CVSS 5.4).
Technical Context
This vulnerability (CWE-862: Missing Authorization) affects for Online Courses and Education. The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
Affected Products
Product: for Online Courses and Education. Versions: up to 3.7.6..
Remediation
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today