Skip to main content

MasterStudy LMS CVE-2026-42730

| EUVDEUVD-2026-32185 HIGH
SQL Injection (CWE-89)
2026-05-27 audit@patchstack.com GHSA-m566-c35v-7wr3
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:49 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy LMS: from n/a through <= 3.7.29.

AnalysisAI

Blind SQL injection in the Stylemix MasterStudy LMS WordPress plugin (all versions through 3.7.29) lets authenticated low-privilege users inject crafted SQL into a backend database query, enabling extraction of arbitrary database contents including user credentials and configuration secrets. The CVSS 8.5 (scope-changed) rating reflects that a successful injection can reach data beyond the plugin's own scope, i.e. the entire shared WordPress database. There is no public exploit identified at time of analysis and EPSS is very low (0.03%, 9th percentile), but the network-reachable, low-complexity nature of the flaw makes it a meaningful risk for sites that grant accounts to students or instructors.

Technical ContextAI

MasterStudy LMS is a learning-management plugin for WordPress used to build courses, quizzes, and membership areas; it stores course, user, and order data in the shared WordPress MySQL/MariaDB database. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): user-supplied input reaches a SQL statement without proper parameterization or escaping, so attacker-controlled values are interpreted as SQL syntax. The 'blind' classification means results are not returned directly in the response - the attacker infers data via boolean/time-based differential behavior, typically through tooling such as sqlmap. Because WordPress plugins share the core wp_ tables, injection here can read data owned by WordPress core and other plugins, consistent with the CVSS Scope:Changed (S:C) flag.

RemediationAI

No vendor-released patch version is identified in the available data, so the fixed release cannot be cited with confidence - administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/masterstudy-lms-learning-management-system/vulnerability/wordpress-masterstudy-lms-plugin-3-7-29-sql-injection-vulnerability?_s_id=cve) and the Stylemix changelog for a release later than 3.7.29 and upgrade to it as soon as it is published. As compensating controls until a patch is applied: restrict or temporarily disable self-service account registration so untrusted users cannot obtain the low-privilege access the flaw requires (trade-off: blocks new student/instructor signups); deploy a WAF rule set such as Patchstack's virtual patch or ModSecurity to filter SQL-injection patterns on the plugin's endpoints (trade-off: pattern-based filtering may be bypassable for blind/time-based payloads and can cause false positives); and tighten the database account WordPress uses to the minimum required privileges to limit the blast radius of any successful injection (trade-off: does not stop data theft from tables the app legitimately reads). Audit logs for anomalous or time-delayed queries from authenticated low-privilege users.

Share

CVE-2026-42730 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy