What is the CVSS score of CVE-2026-49111?

CVE-2026-49111 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Masteriyo LMS are affected by CVE-2026-49111?

The ThemeGrill Masteriyo LMS WordPress plugin (versions ≤2.2.0) contains a privilege escalation flaw enabling authenticated low-privileged users to gain administrator access, exposing educational…

How to fix or mitigate CVE-2026-49111?

24 hours: Inventory all WordPress instances running Masteriyo LMS up to version 2.2.0; restrict plugin settings access to administrator-level accounts only; implement firewall rules limiting administrative access. 7 days: Monitor all user role assignments and permission changes; enable WordPress audit logging for privilege escalation attempts; contact ThemeGrill for patch availability and timeline. 30 days: Enforce multi-factor authentication on all WordPress administrative accounts; deploy role-based access controls with mandatory approval workflows; evaluate migration to patched version upon release or alternative LMS platform.

Masteriyo LMS CVE-2026-49111

EUVD-2026-36722 HIGH

Incorrect Privilege Assignment (CWE-266)

2026-06-15 Patchstack

GHSA-96jg-h8w9-77j9

Privilege Escalation Masteriyo Lms

8.8

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

8.8 HIGH

WordPress plugin reachable over the network (AV:N), low complexity with no special conditions (AC:L), requires any authenticated account (PR:L), no victim interaction (UI:N), and full admin takeover yields C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 14:32 vuln.today

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in ThemeGrill Masteriyo - LMS allows Privilege Escalation.

This issue affects Masteriyo - LMS: from n/a through 2.2.0.

AnalysisAI

Privilege escalation in the ThemeGrill Masteriyo LMS WordPress plugin (versions up to and including 2.2.0) allows authenticated low-privileged users to elevate their permissions to higher roles, including administrator. The flaw stems from incorrect privilege assignment (CWE-266) and carries a CVSS 8.8 with high confidentiality, integrity, and availability impact across the WordPress instance. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify target running Masteriyo ≤2.2.0

Delivery

Exploit

Send crafted request to vulnerable privilege-assignment endpoint

Install

Account capabilities rewritten to administrator

Log into wp-admin with elevated role

Execute

Install malicious plugin or modify content

Impact

Full WordPress site takeover

Recon

Identify target running Masteriyo ≤2.2.0

Delivery

Exploit

Send crafted request to vulnerable privilege-assignment endpoint

Install

Account capabilities rewritten to administrator

Log into wp-admin with elevated role

Execute

Install malicious plugin or modify content

Impact

Full WordPress site takeover

Vulnerability AssessmentAI

Exploitation	Exploitation requires (1) a WordPress site running the ThemeGrill Masteriyo LMS plugin at version 2.2.0 or earlier and (2) the attacker holding a low-privileged authenticated session on that site (PR:L in the CVSS vector - typically a Student, Subscriber, or Instructor-tier account created via Masteriyo's own enrollment flow or WordPress registration). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H paints a realistic high-impact picture: any authenticated low-privileged account (e.g., a Student or Subscriber on a Masteriyo-enabled site) can reach the vulnerable code over the network with no user interaction and obtain administrator-level control of the WordPress instance, which on most installations means full site takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers (or uses an existing) low-privileged Masteriyo account such as a Student on a target WordPress site, then issues a crafted HTTP request to the vulnerable plugin endpoint that performs role or capability assignment without proper privilege checks. The request promotes the attacker's own account to administrator, after which they log in to wp-admin and install a malicious plugin or theme to achieve full site takeover; no public PoC is referenced in the supplied data.
Remediation	No vendor-released patch identified at time of analysis from the supplied data - administrators should monitor the ThemeGrill Masteriyo plugin page and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/learning-management-system/vulnerability/wordpress-masteriyo-lms-plugin-2-2-0-privilege-escalation-vulnerability for a release above 2.2.0 and update as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all WordPress instances running Masteriyo LMS up to version 2.2.0; restrict plugin settings access to administrator-level accounts only; implement firewall rules limiting administrative access. …

Threat intelligence, references, and detailed analysis are available after sign-in.