WordPress Plugin Vulnerabilities

Masteriyo - LMS < 2.0.4 - Authenticated (Subscriber+) Sensitive Information Exposure

Description

The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.

Affects Plugins

Plugin icon
learning-management-system
Fixed in 2.0.4

References

CVE
CVE-2025-64270
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2d0a9410-533a-4d5a-859c-fc9ad839f47a

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
daroo
Verified
No
WPVDB ID
1f5d66c2-a2ce-467c-b1fe-1f712ef0b178

Timeline

Publicly Published
2025-11-30 (about 5 months ago)
Added
2025-12-20 (about 5 months ago)
Last Updated
2025-12-20 (about 5 months ago)

Other

Published
Title
Published
2024-04-22
Title
Frontend Dashboard < 2.2.4 -
Published
2024-09-27
Title
uListing < 2.1.6 - Unauthenticated Information Exposure
Published
2022-01-03
Title
Document Embedder < 1.7.9 - Subscriber+ Arbitrary Private/Draft Post Title Disclosure
Published
2024-07-10
Title
Duplicator < 1.5.10 - Full Path Disclosure
Published
2025-12-29
Title
PopupKit < 2.2.1 - Authenticated (Subscriber+) Information Exposure