Skip to main content

Masteriyo LMS PRO EUVDEUVD-2025-210035

| CVE-2025-53209 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-06-02 Patchstack GHSA-836r-6wmg-2qj5
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVE Published
Jun 22, 2026 - 06:03 cve.org
CRITICAL 9.8
Analysis Generated
Jun 02, 2026 - 10:20 vuln.today

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in Themeisle Masteriyo LMS PRO allows Privilege Escalation.

This issue affects Masteriyo LMS PRO: from n/a through 2.20.0.

AnalysisAI

Privilege escalation in Themeisle Masteriyo LMS PRO (WordPress plugin) up to and including version 2.20.0 allows remote unauthenticated attackers to gain elevated privileges through incorrect privilege assignment (CWE-266). The CVSS 9.8 score reflects network-reachable, no-authentication exploitation with high impact to confidentiality, integrity, and availability; no public exploit identified at time of analysis, but the Patchstack advisory confirms the flaw class and affected version range.

Technical ContextAI

Masteriyo LMS PRO is a commercial WordPress Learning Management System plugin by Themeisle used to deliver online courses, manage students/instructors, and handle enrollments. CWE-266 (Incorrect Privilege Assignment) indicates that the plugin assigns a privilege, role, or capability to a user or session that it should not receive - typically via a registration, profile-update, or role-handling endpoint that fails to constrain which WordPress roles (e.g., student, instructor, administrator) a caller may assume. Combined with the CPE entry cpe:2.3:a:themeisle:masteriyo_lms_pro:*:*:*:*:*:*:*:*, the issue spans all PRO versions through 2.20.0 and operates within the WordPress role/capability model, meaning a successful exploit translates directly into elevated WordPress account privileges on the host site.

RemediationAI

Upgrade Masteriyo LMS PRO to a version later than 2.20.0 once Themeisle publishes a fixed release; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/learning-management-system-pro/vulnerability/wordpress-masteriyo-lms-pro-2-20-0-privilege-escalation-vulnerability should be consulted for the exact patched version, as no fixed version is asserted in the input data and no vendor-released patch is independently confirmed at time of analysis. Until a patched build is applied, compensating controls include temporarily disabling the Masteriyo LMS PRO plugin (which will take course-delivery offline), turning off open user registration in WordPress Settings → General to prevent attacker-controlled account creation, restricting access to wp-admin and the plugin's REST/AJAX endpoints with a WAF rule or IP allowlist, and auditing the wp_users/wp_usermeta tables for unexpected administrator or instructor role assignments created since the plugin was installed. If using Patchstack mTrac/vPatch or a comparable virtual-patching WAF, enable the rule corresponding to this advisory as an interim layer.

Share

EUVD-2025-210035 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy