{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5167", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-30T15:04:11.752Z", "datePublished": "2026-04-08T06:43:41.319Z", "dateUpdated": "2026-04-08T17:17:31.736Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:31.736Z"}, "affected": [{"vendor": "masteriyo", "product": "Masteriyo LMS \u2013 Online Course Builder for eLearning, LMS & Education", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Masteriyo LMS \u2013 Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content."}], "title": "Masteriyo LMS <= 2.1.7 - Unauthenticated Authorization Bypass to Arbitrary Order Completion via Stripe Webhook Endpoint", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6d51dc3-b695-4e9d-b25a-d1b302be1fec?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L563-639"}, {"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L563-639"}, {"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L649-704"}, {"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L649-704"}, {"url": "https://plugins.trac.wordpress.org/changeset/3499458/learning-management-system/trunk/addons/stripe/StripeAddon.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2026-03-30T15:19:24.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T17:55:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:48:00.565657Z", "id": "CVE-2026-5167", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:13:58.532Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5167", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:48:00.565657Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:48:02.688Z"}}], "cna": {"title": "Masteriyo LMS <= 2.1.7 - Unauthenticated Authorization Bypass to Arbitrary Order Completion via Stripe Webhook Endpoint", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "masteriyo", "product": "Masteriyo LMS \u2013 Online Course Builder for eLearning, LMS & Education", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-30T15:19:24.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T17:55:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6d51dc3-b695-4e9d-b25a-d1b302be1fec?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L563-639"}, {"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L563-639"}, {"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L649-704"}, {"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L649-704"}, {"url": "https://plugins.trac.wordpress.org/changeset/3499458/learning-management-system/trunk/addons/stripe/StripeAddon.php"}], "descriptions": [{"lang": "en", "value": "The Masteriyo LMS \u2013 Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T06:43:41.319Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5167", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:13:58.532Z", "dateReserved": "2026-03-30T15:04:11.752Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T06:43:41.319Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Masteriyo LMS \u2013 Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content."}], "id": "CVE-2026-5167", "lastModified": "2026-04-27T19:04:22.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T07:16:22.853", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L563-639"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L649-704"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L563-639"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L649-704"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3499458/learning-management-system/trunk/addons/stripe/StripeAddon.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6d51dc3-b695-4e9d-b25a-d1b302be1fec?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Masteriyo LMS \u2013 Online Course Builder for eLearning, LMS & Education", "source": "cna", "vendor": "masteriyo"}, "product": "masteriyo_lms_\u2013_online_course_builder_for_elearning,_lms_&_education", "vendor": "masteriyo"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:29:18.332704+00:00", "value": {"mitigation_remediation": ["Check the plugin vendor\u2019s website for a newer release that addresses the webhook verification issue and upgrade to that version if available.", "If a patch is not yet released, configure a non\u2011empty webhook_secret value in the Stripe addon settings and enforce the presence of the HTTP_STRIPE_SIGNATURE header for all webhook requests.", "If the Stripe webhook endpoint is not required for business operations, disable or block that endpoint so it is no longer publicly reachable.", "Monitor order completion logs for unexpected entries that may indicate unauthorized activity.", "Implement additional access controls to ensure that only users who have paid and recorded a completed order can access paid courses."], "summary": {"action": "Patch", "impact": "Unauthorized Order Completion"}, "threat_synthesis": {"affected_systems": "All WordPress installations running Masteriyo LMS \u2013 Online Course Builder for eLearning, LMS & Education plugin up to and including version 2.1.7 that have the Stripe addon enabled are impacted. The vulnerability resides in the StripeAddon.php file handling webhooks and affects any site that exposes this endpoint.", "description_and_impact": "The Masteriyo LMS plugin for WordPress processes Stripe webhook events without proper signature verification when the webhook_secret setting is empty. The handler accepts any POST request, and if a HTTP_STRIPE_SIGNATURE header is present it only verifies the signature if a secret is configured. Because the default secret value is an empty string, an unauthenticated attacker can craft a JSON payload with any order_id in the metadata and have the plugin record that order as completed, effectively bypassing payment and granting access to paid course content. This flaw represents an authorization bypass (CWE\u2011639).", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. EPSS data is unavailable and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector likely involves sending an unauthenticated HTTP POST to the Stripe webhook URL from the public internet with a forged JSON payload containing a desired order_id. Successful exploitation allows an attacker to mark any order as completed without payment and gain unauthorized access to course materials."}}}}, "created": "2026-04-08T19:31:06.754353+00:00", "updated": "2026-04-08T19:43:38.899129+00:00", "vendors": ["masteriyo", "masteriyo$PRODUCT$masteriyo_lms_\u2013_online_course_builder_for_elearning,_lms_&_education", "wordpress", "wordpress$PRODUCT$wordpress"]}