Vulnerabilities and security researches forlearning-management-system learning-management-system
Direction: ascendingJun 06, 2024
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # d9707c35db1ab0be9227a865ddf0998f4b634bf3
- CVE, Research URL
- Date
- Jul 03, 2023
- Research Description
- Masteriyo LMS – Online Course Builder for eLearning, LMS & Education [learning-management-system] < 1.6.8 Masteriyo - LMS for WordPress <= 1.6.7 - Sensitive Information Exposure The Masteriyo - LMS for WordPress plugin is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.6.7 via the 'get_item' REST callback. This can allow authenticated attackers to extract sensitive data including user metadata.
- Affected versions
-
max 1.6.8.
- Status
-
vulnerable
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2024-33939
- CVE, Research URL
- Date
- May 19, 2025
- Research Description
- Authentication Bypass Using an Alternate Path or Channel vulnerability in Masteriyo Masteriyo - LMS. Unauth access to course progress.This issue affects Masteriyo - LMS: from n/a through 1.7.3.
- Affected versions
-
max 1.7.4.
- Status
-
vulnerable
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2023-3345
- CVE, Research URL
- Date
- Jul 31, 2023
- Research Description
- The LMS by Masteriyo WordPress plugin before 1.6.8 does not have proper authorization in one some of its REST API endpoints, making it possible for any students to retrieve email addresses of other students
- Affected versions
-
max 1.6.8.
- Status
-
vulnerable
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2024-24882
- CVE, Research URL
- Date
- May 17, 2024
- Research Description
- Improper Privilege Management vulnerability in Masteriyo LMS allows Privilege Escalation.This issue affects LMS: from n/a through 1.7.2.
- Affected versions
-
max 1.7.3.
- Status
-
vulnerable
Aug 12, 2024
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2024-43158
- CVE, Research URL
- Date
- Nov 01, 2024
- Research Description
- Missing Authorization vulnerability in Masteriyo Masteriyo - LMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masteriyo - LMS: from n/a through 1.11.4.
- Affected versions
-
max 1.11.5.
- Status
-
vulnerable
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2024-43159
- CVE, Research URL
- Date
- Nov 01, 2024
- Research Description
- Missing Authorization vulnerability in Masteriyo Masteriyo - LMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masteriyo - LMS: from n/a through 1.11.6.
- Affected versions
-
max 1.12.0.
- Status
-
vulnerable
Aug 16, 2024
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2024-43239
- CVE, Research URL
- Date
- Aug 19, 2024
- Research Description
- Authorization Bypass Through User-Controlled Key vulnerability in Masteriyo Masteriyo - LMS.This issue affects Masteriyo - LMS: from n/a through 1.11.4.
- Affected versions
-
max 1.11.5.
- Status
-
vulnerable
Oct 29, 2024
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2024-10000
- CVE, Research URL
- Date
- Oct 29, 2024
- Research Description
- The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the question's content parameter in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with student-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.13.4.
- Status
-
vulnerable
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2024-10008
- CVE, Research URL
- Date
- Oct 29, 2024
- Research Description
- The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to unauthorized user profile modification due to missing authorization checks on the /wp-json/masteriyo/v1/users/$id REST API endpoint in all versions up to, and including, 1.13.3. This makes it possible for authenticated attackers, with student-level access and above, to modify the roles of arbitrary users. As a result, attackers can escalate their privileges to the Administrator and demote existing administrators to students.
- Affected versions
-
max 1.13.4.
- Status
-
vulnerable
Aug 02, 2025
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2025-54699
- CVE, Research URL
- Date
- Aug 14, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in masteriyo Masteriyo - LMS allows Stored XSS. This issue affects Masteriyo - LMS: from n/a through 1.18.3.
- Affected versions
-
max 1.18.4.
- Status
-
vulnerable
Jan 10, 2026
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2025-64270
- CVE, Research URL
- Date
- Dec 18, 2025
- Research Description
- Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in masteriyo Masteriyo - LMS learning-management-system allows Retrieve Embedded Sensitive Data.This issue affects Masteriyo - LMS: from n/a through <= 2.0.3.
- Affected versions
-
max 2.0.3.
- Status
-
vulnerable
Apr 14, 2026
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2026-4484
- CVE, Research URL
- Date
- Mar 26, 2026
- Research Description
- The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepare_object_for_database' function. This makes it possible for authenticated attackers, with Student-level access and above, to elevate their privileges to that of an administrator.
- Affected versions
-
max 2.1.7.
- Status
-
vulnerable
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2026-5167
- CVE, Research URL
- Date
- Apr 08, 2026
- Research Description
- The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content.
- Affected versions
-
max 2.1.8.
- Status
-
vulnerable
Apr 26, 2026
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course # CVE-2026-39524
- CVE, Research URL
- Date
- -
- Research Description
- Masteriyo LMS – Online Course Builder for eLearning, LMS & Education [learning-management-system] < 2.1.6 CVE-2026-39524
- Affected versions
-
max 2.1.6.
- Status
-
vulnerable