Vulnerabilities and security researches forlearning-management-system learning-management-system
Direction: ascendingJun 06, 2024
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # d9707c35db1ab0be9227a865ddf0998f4b634bf3
- CVE, Research URL
- Date
- Jul 03, 2023
- Research Description
- Masteriyo LMS – Online Course Builder for eLearning, LMS & Education [learning-management-system] < 1.6.8 Masteriyo - LMS for WordPress <= 1.6.7 - Sensitive Information Exposure The Masteriyo - LMS for WordPress plugin is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.6.7 via the 'get_item' REST callback. This can allow authenticated attackers to extract sensitive data including user metadata.
- Affected versions
-
max 1.6.8.
- Status
-
vulnerable
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2024-33939
- CVE, Research URL
- Date
- May 19, 2025
- Research Description
- Authentication Bypass Using an Alternate Path or Channel vulnerability in Masteriyo Masteriyo - LMS. Unauth access to course progress.This issue affects Masteriyo - LMS: from n/a through 1.7.3.
- Affected versions
-
max 1.7.4.
- Status
-
vulnerable
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2023-3345
- CVE, Research URL
- Date
- Jul 31, 2023
- Research Description
- The LMS by Masteriyo WordPress plugin before 1.6.8 does not have proper authorization in one some of its REST API endpoints, making it possible for any students to retrieve email addresses of other students
- Affected versions
-
max 1.6.8.
- Status
-
vulnerable
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2024-24882
- CVE, Research URL
- Date
- May 17, 2024
- Research Description
- Improper Privilege Management vulnerability in Masteriyo LMS allows Privilege Escalation.This issue affects LMS: from n/a through 1.7.2.
- Affected versions
-
max 1.7.3.
- Status
-
vulnerable
Aug 12, 2024
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2024-43158
- CVE, Research URL
- Date
- Nov 01, 2024
- Research Description
- Missing Authorization vulnerability in Masteriyo Masteriyo - LMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masteriyo - LMS: from n/a through 1.11.4.
- Affected versions
-
max 1.11.5.
- Status
-
vulnerable
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2024-43159
- CVE, Research URL
- Date
- Nov 01, 2024
- Research Description
- Missing Authorization vulnerability in Masteriyo Masteriyo - LMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masteriyo - LMS: from n/a through 1.11.6.
- Affected versions
-
max 1.12.0.
- Status
-
vulnerable
Aug 16, 2024
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2024-43239
- CVE, Research URL
- Date
- Aug 19, 2024
- Research Description
- Authorization Bypass Through User-Controlled Key vulnerability in Masteriyo Masteriyo - LMS.This issue affects Masteriyo - LMS: from n/a through 1.11.4.
- Affected versions
-
max 1.11.5.
- Status
-
vulnerable
Oct 29, 2024
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2024-10000
- CVE, Research URL
- Date
- Oct 29, 2024
- Research Description
- The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the question's content parameter in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with student-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.13.4.
- Status
-
vulnerable
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2024-10008
- CVE, Research URL
- Date
- Oct 29, 2024
- Research Description
- The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to unauthorized user profile modification due to missing authorization checks on the /wp-json/masteriyo/v1/users/$id REST API endpoint in all versions up to, and including, 1.13.3. This makes it possible for authenticated attackers, with student-level access and above, to modify the roles of arbitrary users. As a result, attackers can escalate their privileges to the Administrator and demote existing administrators to students.
- Affected versions
-
max 1.13.4.
- Status
-
vulnerable
Aug 02, 2025
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2025-54699
- CVE, Research URL
- Date
- Aug 14, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in masteriyo Masteriyo - LMS allows Stored XSS. This issue affects Masteriyo - LMS: from n/a through 1.18.3.
- Affected versions
-
max 1.18.4.
- Status
-
vulnerable
Jan 10, 2026
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2025-64270
- CVE, Research URL
- Date
- Dec 18, 2025
- Research Description
- Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in masteriyo Masteriyo - LMS learning-management-system allows Retrieve Embedded Sensitive Data.This issue affects Masteriyo - LMS: from n/a through <= 2.0.3.
- Affected versions
-
max 2.0.3.
- Status
-
vulnerable