WordPress Plugin Vulnerabilities

Masteriyo LMS – Online Course Builder for eLearning, LMS & Education < 2.1.6 - Missing Authorization

Description

The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
learning-management-system
Fixed in 2.1.6

References

CVE
CVE-2026-39524
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/73b4e081-caa8-4055-91e2-11979df20159

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
davidfdzmorilla
Verified
No
WPVDB ID
c863198b-5a7d-4698-bfe9-e6a9863a87e5

Timeline

Publicly Published
2026-04-08 (about 1 month ago)
Added
2026-04-15 (about 1 month ago)
Last Updated
2026-04-15 (about 1 month ago)

Other

Published
Title
Published
2025-12-12
Title
Gallery Blocks with Lightbox < 3.3.1 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Modification
Published
2025-11-07
Title
Course Booking System < 6.1.6 - Missing Authorization to Unauthenticated Booking Data Export
Published
2026-02-11
Title
Travel Agency < 1.5.6 - Missing Authorization
Published
2025-07-22
Title
AI Tools <= 4.0.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion
Published
2025-08-26
Title
Javo Core <= 3.0.0.529 - Unauthenticated Arbitrary Content Deletion