Skip to main content

Masteriyo LMS CVE-2026-10824

| EUVDEUVD-2026-39186 MEDIUM
2026-06-25 WPScan GHSA-xp2v-x6vp-vp42
6.5
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
7.3 HIGH

Permanent deletion of course records warrants A:L; the provided NVD vector omits this impact despite the description explicitly confirming destructive capability.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 14:39 vuln.today
CVSS changed
Jun 25, 2026 - 14:22 NVD
6.5 (MEDIUM)
Patch available
Jun 25, 2026 - 08:01 EUVD
CVE Published
Jun 25, 2026 - 06:00 cve.org
MEDIUM 6.5
CVE Published
Jun 25, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records.

AnalysisAI

Unauthenticated access to Masteriyo LMS WordPress plugin's course-progress REST API controller exposes all users' learning records to read and permanent deletion. All plugin versions before 2.2.1 are affected due to a missing authorization check on the REST endpoint, meaning any unauthenticated HTTP client can target arbitrary user IDs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Fingerprint target WordPress site with Masteriyo LMS
Delivery
Discover course-progress REST API route
Exploit
Enumerate valid user IDs via WordPress user API
Execution
Send unauthenticated GET to read course progress records
Persist
Send unauthenticated DELETE request
Impact
Permanently destroy targeted learner progress

Vulnerability AssessmentAI

Exploitation No special conditions are required for network access: the WordPress REST API is enabled and publicly accessible by default on all standard WordPress installations, and the vulnerable endpoint requires no authentication token, nonce, or cookie. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) correctly captures the network-accessible, zero-authentication nature of the flaw but notably rates Availability as None despite the endpoint permitting permanent deletion of course progress records - an assessment this analysis disputes (see assessed_cvss_vector). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a WordPress site running Masteriyo LMS by fingerprinting the plugin via standard HTTP probing. Using the publicly available POC from WPScan, the attacker sends unauthenticated GET requests to the course-progress REST endpoint, enumerating course progress records for arbitrary user IDs, then issues unauthenticated DELETE requests to permanently erase the progress of targeted learners - requiring no credentials and leaving no authentication trail.
Remediation Update the Masteriyo LMS WordPress plugin to version 2.2.1 or later, which is the vendor-released patch confirmed by WPScan (https://wpscan.com/vulnerability/61d2f6ad-8450-40ae-862d-cafff38c27a0/). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10824 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy