{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13766", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-27T16:40:43.878Z", "datePublished": "2026-01-06T08:21:48.418Z", "dateUpdated": "2026-04-08T16:42:51.744Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:51.744Z"}, "affected": [{"vendor": "stylemix", "product": "MasterStudy LMS WordPress Plugin \u2013 for Online Courses and Education", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.7.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MasterStudy LMS WordPress Plugin \u2013 for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates"}], "title": "MasterStudy LMS WordPress Plugin \u2013 for Online Courses and Education <= 3.7.6 Missing Authorization to Authenticated (Subscriber+) Posts and Media Creation, Modification and Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2719739a-90dc-470b-9270-8578e0cead59?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3422825/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "thinnawarth mathuros"}], "timeline": [{"time": "2025-10-26T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-27T17:04:25.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-05T19:29:47.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T14:31:57.692857Z", "id": "CVE-2025-13766", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:32:09.184Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13766", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T14:31:57.692857Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:32:04.176Z"}}], "cna": {"title": "MasterStudy LMS WordPress Plugin \u2013 for Online Courses and Education <= 3.7.6 Missing Authorization to Authenticated (Subscriber+) Posts and Media Creation, Modification and Deletion", "credits": [{"lang": "en", "type": "finder", "value": "thinnawarth mathuros"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "stylemix", "product": "MasterStudy LMS WordPress Plugin \u2013 for Online Courses and Education", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.7.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-26T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-27T17:04:25.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-05T19:29:47.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2719739a-90dc-470b-9270-8578e0cead59?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3422825/"}], "descriptions": [{"lang": "en", "value": "The MasterStudy LMS WordPress Plugin \u2013 for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:51.744Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13766", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:42:51.744Z", "dateReserved": "2025-11-27T16:40:43.878Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-06T08:21:48.418Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MasterStudy LMS WordPress Plugin \u2013 for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates"}, {"lang": "es", "value": "El plugin de WordPress MasterStudy LMS \u2013 para cursos en l\u00ednea y educaci\u00f3n, un plugin para WordPress es vulnerable a la modificaci\u00f3n y eliminaci\u00f3n no autorizadas de datos debido a la falta de comprobaciones de capacidad en m\u00faltiples puntos finales de la API REST en todas las versiones hasta la 3.7.6, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, suban o eliminen archivos multimedia arbitrarios, eliminen o modifiquen publicaciones, y creen/gestionen plantillas de cursos."}], "id": "CVE-2025-13766", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-06T09:15:53.983", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3422825/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2719739a-90dc-470b-9270-8578e0cead59?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:17:57.420978+00:00", "value": {"mitigation_remediation": ["Upgrade the MasterStudy LMS WordPress plugin to the latest version that contains the missing authorization checks for its REST API endpoints.", "If an immediate upgrade is not possible, temporarily block or remove the plugin\u2019s REST API endpoints for non\u2011administrator roles by disabling the plugin or configuring a firewall rule that blocks requests to the /wp-json/masterstudy/v1/ URLs for Subscriber users.", "Revoke Subscriber or higher roles from users who do not require the ability to create or delete media and posts, or replace them with lower\u2011privileged roles that lack media upload capabilities."], "summary": {"action": "Apply patch", "impact": "Unauthorized content manipulation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the stylemix MasterStudy LMS WordPress plugin \u2013 for Online Courses and Education, specifically all releases up to and including version 3.7.6. Users running any of these versions are at risk of unauthorized modifications unless they upgrade to a fixed build.", "description_and_impact": "The MasterStudy LMS WordPress plugin contains missing authorization checks on several REST API endpoints. This deficiency allows authenticated users with Subscriber-level access or higher to upload or delete arbitrary media files, modify or delete posts, and create or manage course templates. The vulnerability is an instance of CWE\u2011862, meaning that the system fails to verify that the caller has permission to perform the requested action, which compromises data integrity.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate severity, while the EPSS score of less than 1% suggests a low exploitation probability under current conditions. The vulnerability is not listed in the CISA KEV catalog. Attackers need to be authenticated, and the most likely attack vector is through the plugin\u2019s REST API endpoints that are accessible to Subscriber or more privileged users. Exploitation would allow the attacker to upload or delete arbitrary media, remove or alter posts, and manage course templates, thereby undermining the integrity and availability of site content."}}}}, "created": "2026-01-06T14:15:50.172044+00:00", "updated": "2026-04-22T20:30:26.767464+00:00", "vendors": ["stylemix", "stylemix$PRODUCT$masterstudy_lms_wordpress_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}