Skip to main content

MasterStudy LMS Pro EUVDEUVD-2025-210138

| CVE-2025-64215 MEDIUM
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-mj6w-cx37-26h8
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable unauthenticated WordPress endpoint with no interaction needed; impact limited to partial integrity and availability with no confidentiality breach.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 15, 2026 - 16:01 EUVD
Analysis Generated
Jun 15, 2026 - 14:35 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects MasterStudy LMS Pro: from n/a before 4.7.16.

AnalysisAI

Missing Authorization in StylemixThemes MasterStudy LMS Pro (WordPress plugin) exposes restricted LMS functionality to unauthenticated remote attackers, enabling unauthorized modification of course content or platform data and limited disruption of availability. All versions before 4.7.16 are affected, with the flaw rooted in the plugin's failure to enforce access control checks on certain endpoints - effectively allowing callers to bypass intended privilege gates entirely. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the low-complexity, unauthenticated attack surface warrants prompt patching on any publicly reachable WordPress installation.

Technical ContextAI

MasterStudy LMS Pro (CPE: cpe:2.3:a:stylemixthemes:masterstudy_lms_pro:*:*:*:*:*:*:*:*) is a premium WordPress learning management system plugin by StylemixThemes. CWE-862 (Missing Authorization) indicates the plugin registers AJAX handlers, REST API routes, or admin-facing endpoints without verifying whether the requesting user holds the required capability or role before executing the underlying logic. In WordPress, authorization is typically enforced via capability checks (current_user_can()) or nonce validation tied to roles; their absence allows any network-accessible caller - including unauthenticated visitors - to invoke privileged functionality. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is a straightforward network-reachable, unauthenticated path requiring no special tooling or chaining.

RemediationAI

Upgrade MasterStudy LMS Pro to version 4.7.16 or later immediately; this is the vendor-confirmed patched release per the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/masterstudy-lms-learning-management-system-pro/vulnerability/wordpress-masterstudy-lms-pro-plugin-4-7-16-broken-access-control-vulnerability-2. If immediate upgrade is not feasible, consider temporarily deactivating the plugin to eliminate the attack surface entirely - note this will disable all LMS functionality for enrolled students and instructors. Alternatively, restrict access to the WordPress admin-ajax.php and REST API endpoints via WAF rules or server-level IP allowlisting to limit exposure to trusted networks only, with the trade-off that this may break legitimate student interactions with the LMS. WordPress site operators should also audit plugin activity logs for anomalous unauthenticated requests to LMS endpoints made prior to patching.

Share

EUVD-2025-210138 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy