What is the CVSS score of CVE-2026-39524?

CVE-2026-39524 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.2%.

Which versions of Masteriyo LMS are affected by CVE-2026-39524?

Masteriyo LMS WordPress plugin versions up to 2.1.5 contain a critical access control vulnerability enabling unauthenticated users to bypass payment workflows and modify protected resources, with no…

How to fix or mitigate CVE-2026-39524?

Within 24 hours: Audit all WordPress installations for affected Masteriyo LMS plugin versions (up to 2.1.5) and assess payment processing exposure. Within 7 days: Deploy Web Application Firewall (WAF) rules restricting unauthorized payment endpoint access, enable comprehensive transaction logging, and enforce role-based access controls (RBAC) limiting resource modifications to authenticated administrators. Within 30 days: Evaluate and execute migration to an alternative LMS plugin without this vulnerability, or apply vendor patch when released.

Masteriyo LMS CVE-2026-39524

EUVD-2026-36957 HIGH

Missing Authorization (CWE-862)

2026-06-15 Patchstack

GHSA-w265-826q-pq4h

Authentication Bypass Masteriyo Lms

7.5

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

vuln.today AI

7.5 HIGH

Remote unauthenticated HTTP request to a WordPress plugin endpoint with no user interaction; missing authorization yields integrity impact only (bypassed payment state), with no confidentiality or availability loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 22:20 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Masteriyo - LMS <= 2.1.5 versions.

AnalysisAI

Broken access control in the Masteriyo - LMS WordPress plugin (versions up to and including 2.1.5) allows remote unauthenticated attackers to bypass payment workflows and tamper with protected resources without authorization. The Patchstack advisory characterizes this as a payment bypass issue rooted in a missing authorization check (CWE-862), and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify WordPress site running Masteriyo LMS ≤2.1.5

Delivery

Enumerate paid courses and checkout endpoints

Exploit

Send crafted unauthenticated request bypassing payment check

Execution

Plugin marks order/enrollment as paid

Impact

Access paid course content without payment

Access

Identify WordPress site running Masteriyo LMS ≤2.1.5

Delivery

Enumerate paid courses and checkout endpoints

Exploit

Send crafted unauthenticated request bypassing payment check

Execution

Plugin marks order/enrollment as paid

Impact

Access paid course content without payment

Vulnerability AssessmentAI

Exploitation	Exploitation requires only that the target WordPress site has the Masteriyo - LMS plugin installed and active at version 2.1.5 or earlier with at least one paid course or paid resource configured to be purchased through the plugin's built-in checkout flow - that is the feature whose authorization check is missing. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (7.5 High) indicates a remote, low-complexity, fully unauthenticated path with high integrity impact but no confidentiality or availability impact, which is consistent with a payment/access-control bypass rather than full site compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker browses to a WordPress site running Masteriyo - LMS ≤ 2.1.5, selects a paid course, and issues a crafted HTTP request directly to the vulnerable plugin endpoint that finalizes an order or enrollment, skipping the legitimate payment gateway step. The attacker gains access to the paid course content (and any associated digital deliverables) without payment, repeating the abuse across courses and accounts; no public exploit identified at time of analysis, but the Patchstack advisory describes the bypass mechanism at a level useful to attackers reverse-engineering the patch.
Remediation	Patch available per vendor advisory: upgrade the Masteriyo - LMS plugin to a version newer than 2.1.5 as indicated by the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/learning-management-system/vulnerability/wordpress-masteriyo-lms-plugin-2-1-5-payment-bypass-vulnerability; a specific fixed version was not included in the provided input data, so administrators should consult the advisory and the WordPress.org plugin page for the exact patched release. … Detailed patch versions, workarounds, and compensating controls in full report.