Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in Themeisle Masteriyo LMS PRO allows Privilege Escalation.
This issue affects Masteriyo LMS PRO: from n/a through 2.20.0.
AnalysisAI
Privilege escalation in Themeisle Masteriyo LMS PRO (WordPress plugin) up to and including version 2.20.0 allows remote unauthenticated attackers to gain elevated privileges through incorrect privilege assignment (CWE-266). The CVSS 9.8 score reflects network-reachable, no-authentication exploitation with high impact to confidentiality, integrity, and availability; no public exploit identified at time of analysis, but the Patchstack advisory confirms the flaw class and affected version range.
Technical ContextAI
Masteriyo LMS PRO is a commercial WordPress Learning Management System plugin by Themeisle used to deliver online courses, manage students/instructors, and handle enrollments. CWE-266 (Incorrect Privilege Assignment) indicates that the plugin assigns a privilege, role, or capability to a user or session that it should not receive - typically via a registration, profile-update, or role-handling endpoint that fails to constrain which WordPress roles (e.g., student, instructor, administrator) a caller may assume. Combined with the CPE entry cpe:2.3:a:themeisle:masteriyo_lms_pro:*:*:*:*:*:*:*:*, the issue spans all PRO versions through 2.20.0 and operates within the WordPress role/capability model, meaning a successful exploit translates directly into elevated WordPress account privileges on the host site.
RemediationAI
Upgrade Masteriyo LMS PRO to a version later than 2.20.0 once Themeisle publishes a fixed release; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/learning-management-system-pro/vulnerability/wordpress-masteriyo-lms-pro-2-20-0-privilege-escalation-vulnerability should be consulted for the exact patched version, as no fixed version is asserted in the input data and no vendor-released patch is independently confirmed at time of analysis. Until a patched build is applied, compensating controls include temporarily disabling the Masteriyo LMS PRO plugin (which will take course-delivery offline), turning off open user registration in WordPress Settings → General to prevent attacker-controlled account creation, restricting access to wp-admin and the plugin's REST/AJAX endpoints with a WAF rule or IP allowlist, and auditing the wp_users/wp_usermeta tables for unexpected administrator or instructor role assignments created since the plugin was installed. If using Patchstack mTrac/vPatch or a comparable virtual-patching WAF, enable the rule corresponding to this advisory as an interim layer.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210035
GHSA-836r-6wmg-2qj5