Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-reachable unauthenticated WordPress endpoint with no interaction needed; impact limited to partial integrity and availability with no confidentiality breach.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs.
This issue affects MasterStudy LMS Pro: from n/a before 4.7.16.
AnalysisAI
Missing Authorization in StylemixThemes MasterStudy LMS Pro (WordPress plugin) exposes restricted LMS functionality to unauthenticated remote attackers, enabling unauthorized modification of course content or platform data and limited disruption of availability. All versions before 4.7.16 are affected, with the flaw rooted in the plugin's failure to enforce access control checks on certain endpoints - effectively allowing callers to bypass intended privilege gates entirely. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the low-complexity, unauthenticated attack surface warrants prompt patching on any publicly reachable WordPress installation.
Technical ContextAI
MasterStudy LMS Pro (CPE: cpe:2.3:a:stylemixthemes:masterstudy_lms_pro:*:*:*:*:*:*:*:*) is a premium WordPress learning management system plugin by StylemixThemes. CWE-862 (Missing Authorization) indicates the plugin registers AJAX handlers, REST API routes, or admin-facing endpoints without verifying whether the requesting user holds the required capability or role before executing the underlying logic. In WordPress, authorization is typically enforced via capability checks (current_user_can()) or nonce validation tied to roles; their absence allows any network-accessible caller - including unauthenticated visitors - to invoke privileged functionality. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is a straightforward network-reachable, unauthenticated path requiring no special tooling or chaining.
RemediationAI
Upgrade MasterStudy LMS Pro to version 4.7.16 or later immediately; this is the vendor-confirmed patched release per the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/masterstudy-lms-learning-management-system-pro/vulnerability/wordpress-masterstudy-lms-pro-plugin-4-7-16-broken-access-control-vulnerability-2. If immediate upgrade is not feasible, consider temporarily deactivating the plugin to eliminate the attack surface entirely - note this will disable all LMS functionality for enrolled students and instructors. Alternatively, restrict access to the WordPress admin-ajax.php and REST API endpoints via WAF rules or server-level IP allowlisting to limit exposure to trusted networks only, with the trade-off that this may break legitimate student interactions with the LMS. WordPress site operators should also audit plugin activity logs for anomalous unauthenticated requests to LMS endpoints made prior to patching.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210138
GHSA-mj6w-cx37-26h8