Masteriyo Lms
Monthly
Unauthenticated broken authentication in the Masteriyo LMS WordPress plugin (versions ≤2.1.8) stems from improper JWT signature verification (CWE-347), allowing remote attackers to forge authentication tokens without valid credentials and gain unauthorized access to protected LMS resources. The CVSS:3.1 vector AV:N/AC:L/PR:N/UI:N confirms fully unauthenticated, low-complexity network exploitation, enabling an attacker to impersonate enrolled students or instructors and read or modify course-related data. No public exploit code or active exploitation has been confirmed at time of analysis, and the vulnerability is not listed in CISA KEV.
Broken access control in the Masteriyo - LMS WordPress plugin (versions up to and including 2.1.5) allows remote unauthenticated attackers to bypass payment workflows and tamper with protected resources without authorization. The Patchstack advisory characterizes this as a payment bypass issue rooted in a missing authorization check (CWE-862), and no public exploit identified at time of analysis. EPSS data was not provided and the CVE is not currently listed in CISA KEV.
Privilege escalation in the ThemeGrill Masteriyo LMS WordPress plugin (versions up to and including 2.2.0) allows authenticated low-privileged users to elevate their permissions to higher roles, including administrator. The flaw stems from incorrect privilege assignment (CWE-266) and carries a CVSS 8.8 with high confidentiality, integrity, and availability impact across the WordPress instance. No public exploit identified at time of analysis, and the Patchstack disclosure is the sole reference currently available.
Unauthenticated broken authentication in the Masteriyo LMS WordPress plugin (versions ≤2.1.8) stems from improper JWT signature verification (CWE-347), allowing remote attackers to forge authentication tokens without valid credentials and gain unauthorized access to protected LMS resources. The CVSS:3.1 vector AV:N/AC:L/PR:N/UI:N confirms fully unauthenticated, low-complexity network exploitation, enabling an attacker to impersonate enrolled students or instructors and read or modify course-related data. No public exploit code or active exploitation has been confirmed at time of analysis, and the vulnerability is not listed in CISA KEV.
Broken access control in the Masteriyo - LMS WordPress plugin (versions up to and including 2.1.5) allows remote unauthenticated attackers to bypass payment workflows and tamper with protected resources without authorization. The Patchstack advisory characterizes this as a payment bypass issue rooted in a missing authorization check (CWE-862), and no public exploit identified at time of analysis. EPSS data was not provided and the CVE is not currently listed in CISA KEV.
Privilege escalation in the ThemeGrill Masteriyo LMS WordPress plugin (versions up to and including 2.2.0) allows authenticated low-privileged users to elevate their permissions to higher roles, including administrator. The flaw stems from incorrect privilege assignment (CWE-266) and carries a CVSS 8.8 with high confidentiality, integrity, and availability impact across the WordPress instance. No public exploit identified at time of analysis, and the Patchstack disclosure is the sole reference currently available.