Skip to main content

Masterstudy Lms

15 CVEs product

Monthly

CVE-2026-57330 MEDIUM This Month

Stored Cross-Site Scripting in the MasterStudy LMS WordPress plugin (versions <= 3.7.27) allows authenticated subscriber-level users to inject malicious scripts that execute in the browsers of higher-privileged users such as administrators. The vulnerability carries a Scope:Changed CVSS vector, meaning successful exploitation breaks the browser security boundary and can impact resources beyond the plugin itself - enabling session hijacking, credential theft, or privilege escalation within the WordPress admin context. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (subscriber role) widens the attacker pool considerably on sites with open or paid user registration.

XSS Masterstudy Lms
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-40766 HIGH This Week

SQL injection in the MasterStudy LMS WordPress plugin (versions 3.7.25 and earlier) allows authenticated users at the Subscriber privilege level to inject crafted SQL into backend database queries, leading to high-impact disclosure of confidential database contents and limited availability degradation. The flaw was reported by Patchstack and carries a scope-changed CVSS 3.1 score of 8.5; no public exploit identified at time of analysis.

SQLi Masterstudy Lms
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2024-37094 CRITICAL Act Now

Missing Authorization vulnerability in StylemixThemes MasterStudy LMS allows Exploiting Incorrectly Configured Access Control Security Levels.2.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Masterstudy Lms
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-5973 HIGH POC This Week

The MasterStudy LMS WordPress Plugin WordPress plugin before 3.3.24 does not prevent students from creating instructor accounts, which could be used to get access to functionalities they shouldn't. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Masterstudy Lms
NVD WPScan
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-3942 MEDIUM This Month

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Masterstudy Lms
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2024-3136 CRITICAL POC PATCH THREAT Act Now

The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 49.6%.

WordPress PHP RCE LFI Information Disclosure +1
NVD
CVSS 3.1
9.8
EPSS
49.6%
Threat
4.9
CVE-2024-1904 MEDIUM This Month

The MasterStudy LMS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the search_posts function in all versions up to, and including, 3.2.13. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Masterstudy Lms
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-2411 CRITICAL PATCH Act Now

The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'modal' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP Information Disclosure RCE WordPress LFI +1
NVD VulDB
CVSS 3.1
9.8
EPSS
3.1%
CVE-2024-2409 CRITICAL PATCH Act Now

The MasterStudy LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation WordPress Masterstudy Lms
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-2106 MEDIUM PATCH This Month

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 3.2.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

WordPress Information Disclosure Masterstudy Lms
NVD VulDB
CVSS 3.1
5.3
EPSS
1.9%
CVE-2024-1512 CRITICAL POC THREAT Emergency

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.6%.

SQLi WordPress Masterstudy Lms
NVD VulDB
CVSS 3.1
9.8
EPSS
93.6%
Threat
6.3
CVE-2023-4278 HIGH POC This Week

The MasterStudy LMS WordPress Plugin WordPress plugin before 3.0.18 does not have proper checks in place during registration allowing anyone to register on the site as an instructor. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Masterstudy Lms
NVD WPScan Exploit-DB
CVSS 3.1
7.5
EPSS
3.5%
CVE-2023-35093 MEDIUM This Month

Broken Access Control vulnerability in StylemixThemes MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin <= 3.0.8 versions allows any logged-in users, such as subscribers to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Masterstudy Lms
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-35090 MEDIUM This Month

Auth. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Masterstudy Lms
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2022-0441 CRITICAL POC PATCH THREAT Act Now

The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Privilege Escalation WordPress Masterstudy Lms
NVD WPScan Exploit-DB
CVSS 3.1
9.8
EPSS
84.9%
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in the MasterStudy LMS WordPress plugin (versions <= 3.7.27) allows authenticated subscriber-level users to inject malicious scripts that execute in the browsers of higher-privileged users such as administrators. The vulnerability carries a Scope:Changed CVSS vector, meaning successful exploitation breaks the browser security boundary and can impact resources beyond the plugin itself - enabling session hijacking, credential theft, or privilege escalation within the WordPress admin context. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (subscriber role) widens the attacker pool considerably on sites with open or paid user registration.

XSS Masterstudy Lms
NVD
EPSS 0% CVSS 8.5
HIGH This Week

SQL injection in the MasterStudy LMS WordPress plugin (versions 3.7.25 and earlier) allows authenticated users at the Subscriber privilege level to inject crafted SQL into backend database queries, leading to high-impact disclosure of confidential database contents and limited availability degradation. The flaw was reported by Patchstack and carries a scope-changed CVSS 3.1 score of 8.5; no public exploit identified at time of analysis.

SQLi Masterstudy Lms
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Missing Authorization vulnerability in StylemixThemes MasterStudy LMS allows Exploiting Incorrectly Configured Access Control Security Levels.2.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Masterstudy Lms
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

The MasterStudy LMS WordPress Plugin WordPress plugin before 3.3.24 does not prevent students from creating instructor accounts, which could be used to get access to functionalities they shouldn't. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Masterstudy Lms
NVD WPScan
EPSS 0% CVSS 6.3
MEDIUM This Month

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Masterstudy Lms
NVD
EPSS 50% 4.9 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 49.6%.

WordPress PHP RCE +3
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The MasterStudy LMS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the search_posts function in all versions up to, and including, 3.2.13. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Masterstudy Lms
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'modal' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP Information Disclosure RCE +3
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

The MasterStudy LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation WordPress Masterstudy Lms
NVD
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 3.2.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

WordPress Information Disclosure Masterstudy Lms
NVD VulDB
EPSS 94% 6.3 CVSS 9.8
CRITICAL POC THREAT Emergency

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.6%.

SQLi WordPress Masterstudy Lms
NVD VulDB
EPSS 3% CVSS 7.5
HIGH POC This Week

The MasterStudy LMS WordPress Plugin WordPress plugin before 3.0.18 does not have proper checks in place during registration allowing anyone to register on the site as an instructor. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Masterstudy Lms
NVD WPScan Exploit-DB
EPSS 1% CVSS 6.5
MEDIUM This Month

Broken Access Control vulnerability in StylemixThemes MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin <= 3.0.8 versions allows any logged-in users, such as subscribers to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Masterstudy Lms
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Auth. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Masterstudy Lms
NVD
EPSS 85% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Privilege Escalation WordPress Masterstudy Lms
NVD WPScan Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy