Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy LMS: from n/a through <= 3.7.29.
AnalysisAI
Blind SQL injection in the Stylemix MasterStudy LMS WordPress plugin (all versions through 3.7.29) lets authenticated low-privilege users inject crafted SQL into a backend database query, enabling extraction of arbitrary database contents including user credentials and configuration secrets. The CVSS 8.5 (scope-changed) rating reflects that a successful injection can reach data beyond the plugin's own scope, i.e. the entire shared WordPress database. There is no public exploit identified at time of analysis and EPSS is very low (0.03%, 9th percentile), but the network-reachable, low-complexity nature of the flaw makes it a meaningful risk for sites that grant accounts to students or instructors.
Technical ContextAI
MasterStudy LMS is a learning-management plugin for WordPress used to build courses, quizzes, and membership areas; it stores course, user, and order data in the shared WordPress MySQL/MariaDB database. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): user-supplied input reaches a SQL statement without proper parameterization or escaping, so attacker-controlled values are interpreted as SQL syntax. The 'blind' classification means results are not returned directly in the response - the attacker infers data via boolean/time-based differential behavior, typically through tooling such as sqlmap. Because WordPress plugins share the core wp_ tables, injection here can read data owned by WordPress core and other plugins, consistent with the CVSS Scope:Changed (S:C) flag.
RemediationAI
No vendor-released patch version is identified in the available data, so the fixed release cannot be cited with confidence - administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/masterstudy-lms-learning-management-system/vulnerability/wordpress-masterstudy-lms-plugin-3-7-29-sql-injection-vulnerability?_s_id=cve) and the Stylemix changelog for a release later than 3.7.29 and upgrade to it as soon as it is published. As compensating controls until a patch is applied: restrict or temporarily disable self-service account registration so untrusted users cannot obtain the low-privilege access the flaw requires (trade-off: blocks new student/instructor signups); deploy a WAF rule set such as Patchstack's virtual patch or ModSecurity to filter SQL-injection patterns on the plugin's endpoints (trade-off: pattern-based filtering may be bypassable for blind/time-based payloads and can cause false positives); and tighten the database account WordPress uses to the minimum required privileges to limit the blast radius of any successful injection (trade-off: does not stop data theft from tables the app legitimately reads). Audit logs for anomalous or time-delayed queries from authenticated low-privilege users.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32185
GHSA-m566-c35v-7wr3