Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Student account required (PR:L); only announcement text integrity affected (I:L); no confidentiality or availability impact applies.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Masteriyo LMS - LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators.
AnalysisAI
Authorization bypass in the Masteriyo LMS WordPress plugin (all versions through 2.2.1) allows authenticated users with student-level access to overwrite the post content of course announcements created by instructors or administrators. The flaw is rooted in missing authorization checks (CWE-862) inside the CourseAnnouncementController addon, meaning any enrolled student can tamper with official communications - exam instructions, policy notices, deadlines - without being detected by the LMS. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress user account with at minimum student-level enrollment on a site running Masteriyo LMS version 2.2.1 or earlier with the course-announcement addon active. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N yields a 4.3 base score that accurately reflects the constrained blast radius: network-accessible, low-complexity exploitation requiring only a low-privilege authenticated account, with scope unchanged and impact limited to partial integrity - no code execution, no data disclosure, no availability disruption. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An enrolled student on an affected Masteriyo LMS site sends a crafted update request to the CourseAnnouncementController endpoint, specifying the post ID of an announcement authored by an instructor rather than their own content. Because the controller performs no ownership or role verification, the request succeeds and silently replaces the instructor's announcement - potentially substituting accurate exam instructions with false information to mislead other students. … |
| Remediation | An upstream fix has been committed to the WordPress plugin SVN repository as changeset 3583519 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3583519%40learning-management-system&new=3583519%40learning-management-system); the exact released patched version number is not independently confirmed from the available data and should be verified via the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/5780d762-2313-4c81-be02-99543359d824?source=cve) or the Masteriyo plugin changelog on WordPress.org - update to the first version exceeding 2.2.1 once confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39953
GHSA-26q5-grw2-6qhj