Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Permanent deletion of course records warrants A:L; the provided NVD vector omits this impact despite the description explicitly confirming destructive capability.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records.
AnalysisAI
Unauthenticated access to Masteriyo LMS WordPress plugin's course-progress REST API controller exposes all users' learning records to read and permanent deletion. All plugin versions before 2.2.1 are affected due to a missing authorization check on the REST endpoint, meaning any unauthenticated HTTP client can target arbitrary user IDs. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required for network access: the WordPress REST API is enabled and publicly accessible by default on all standard WordPress installations, and the vulnerable endpoint requires no authentication token, nonce, or cookie. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) correctly captures the network-accessible, zero-authentication nature of the flaw but notably rates Availability as None despite the endpoint permitting permanent deletion of course progress records - an assessment this analysis disputes (see assessed_cvss_vector). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a WordPress site running Masteriyo LMS by fingerprinting the plugin via standard HTTP probing. Using the publicly available POC from WPScan, the attacker sends unauthenticated GET requests to the course-progress REST endpoint, enumerating course progress records for arbitrary user IDs, then issues unauthenticated DELETE requests to permanently erase the progress of targeted learners - requiring no credentials and leaving no authentication trail. |
| Remediation | Update the Masteriyo LMS WordPress plugin to version 2.2.1 or later, which is the vendor-released patch confirmed by WPScan (https://wpscan.com/vulnerability/61d2f6ad-8450-40ae-862d-cafff38c27a0/). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Masteriyo Lms
View allPrivilege escalation in the ThemeGrill Masteriyo LMS WordPress plugin (versions up to and including 2.2.0) allows authen
Broken access control in the Masteriyo - LMS WordPress plugin (versions up to and including 2.1.5) allows remote unauthe
Unauthenticated broken authentication in the Masteriyo LMS WordPress plugin (versions ≤2.1.8) stems from improper JWT si
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39186
GHSA-xp2v-x6vp-vp42