WordPress Plugin Vulnerabilities

MasterStudy LMS < 3.6.21 - Missing Authorization

Description

The MasterStudy LMS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in a function in versions up to, and including, 3.6.20. This makes it possible for authenticated attackers, with subscriber-level access and above, to view other user's order confirmation.

Affects Plugins

Plugin icon
masterstudy-lms-learning-management-system
Fixed in 3.6.21

References

CVE
CVE-2025-59576
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed96d76-ef7d-46c5-a164-992dd4f15afe

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Bibek Dhakal
Verified
No
WPVDB ID
cf40df09-c133-4def-a66d-5e257b992c35

Timeline

Publicly Published
2025-09-22 (about 9 months ago)
Added
2025-09-26 (about 8 months ago)
Last Updated
2025-09-26 (about 8 months ago)

Other

Published
Title
Published
2024-08-16
Title
WPC Frequently Bought Together for WooCommerce < 7.2.0 - Missing Authorization
Published
2024-02-27
Title
LiteSpeed Cache < 5.7.0.1 - Unauthenticated CDN Status Update
Published
2026-05-26
Title
Feeds for TikTok – Display Video Feeds in Grid Layouts < 1.0.25 - Missing Authorization
Published
2023-11-24
Title
Booster for WooCommerce < 7.1.2 - Missing Authorization to Authenticated (Subscriber+) Order Information Disclosure
Published
2026-02-17
Title
SiteOrigin Widgets Bundle < 1.71.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution