Skip to main content

Masteriyo LMS CVE-2026-11773

| EUVDEUVD-2026-39953 MEDIUM
Missing Authorization (CWE-862)
2026-06-27 Wordfence GHSA-26q5-grw2-6qhj
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Student account required (PR:L); only announcement text integrity affected (I:L); no confidentiality or availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 07:54 vuln.today
CVE Published
Jun 27, 2026 - 06:50 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Masteriyo LMS - LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators.

AnalysisAI

Authorization bypass in the Masteriyo LMS WordPress plugin (all versions through 2.2.1) allows authenticated users with student-level access to overwrite the post content of course announcements created by instructors or administrators. The flaw is rooted in missing authorization checks (CWE-862) inside the CourseAnnouncementController addon, meaning any enrolled student can tamper with official communications - exam instructions, policy notices, deadlines - without being detected by the LMS. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain student account on target WordPress LMS
Delivery
Enumerate course announcement post IDs
Exploit
Send crafted HTTP update request to CourseAnnouncementController endpoint
Execution
Bypass missing authorization check
Impact
Overwrite instructor-authored announcement post content

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user account with at minimum student-level enrollment on a site running Masteriyo LMS version 2.2.1 or earlier with the course-announcement addon active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N yields a 4.3 base score that accurately reflects the constrained blast radius: network-accessible, low-complexity exploitation requiring only a low-privilege authenticated account, with scope unchanged and impact limited to partial integrity - no code execution, no data disclosure, no availability disruption. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An enrolled student on an affected Masteriyo LMS site sends a crafted update request to the CourseAnnouncementController endpoint, specifying the post ID of an announcement authored by an instructor rather than their own content. Because the controller performs no ownership or role verification, the request succeeds and silently replaces the instructor's announcement - potentially substituting accurate exam instructions with false information to mislead other students. …
Remediation An upstream fix has been committed to the WordPress plugin SVN repository as changeset 3583519 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3583519%40learning-management-system&new=3583519%40learning-management-system); the exact released patched version number is not independently confirmed from the available data and should be verified via the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/5780d762-2313-4c81-be02-99543359d824?source=cve) or the Masteriyo plugin changelog on WordPress.org - update to the first version exceeding 2.2.1 once confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11773 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy