MasterStudy LMS WordPress Plugin – for Online Courses and Education < 3.7.7 Missing Authorization to Authenticated (Subscriber+) Posts and Media Creation, Modification and Deletion | CVE 2025-13766 | Plugin Vulnerabilities

Description

The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates

Affects Plugins

masterstudy-lms-learning-management-system

Fixed in 3.7.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2719739a-90dc-470b-9270-8578e0cead59

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

thinnawarth mathuros

Verified

No

WPVDB ID

b3a36da4-2d70-4243-b125-4184edd31685

Timeline

Publicly Published

2026-01-05 (about 5 months ago)

Added

2026-01-05 (about 5 months ago)

Last Updated

2026-01-06 (about 5 months ago)

Other

Published

Title

Published

2026-04-24

Title

Groundhogg — CRM, Newsletters, and Marketing Automation < 4.4.1 - Missing Authorization

Published

2015-10-10

Title

Ajax Load More < 2.8.1.2 - Subscriber+ File Upload & Deletion

Published

2026-03-06

Title

Greenshift < 12.8.4 - Missing Authorization to Unauthenticated Private Reusable Block Disclosure via 'gspb_el_reusable_load'

Published

2026-02-04

Title

Sync Master Sheet – Product Sync with Google Sheet for WooCommerce < 1.1.4 - Missing Authorization

Published

2023-12-26

Title

WC Marketplace < 4.0.24 - Missing Authorization via mvx_save_dashpages