EUVD-2026-16074
GHSA-6m8q-32w5-c768
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepare_object_for_database' function. This makes it possible for authenticated attackers, with Student-level access and above, to elevate their privileges to that of an administrator.
Analysis
The Masteriyo LMS plugin for WordPress contains a critical privilege escalation vulnerability that allows authenticated users with Student-level access or higher to elevate their privileges to administrator level. All versions up to and including 2.1.6 are affected. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all WordPress instances running Masteriyo LMS and document affected versions; immediately disable the plugin if not operationally critical or restrict access via network/WAF rules. Within 7 days: evaluate alternative LMS solutions and develop migration timeline; implement Web Application Firewall rules to block exploitation attempts if plugin remains active. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today