MasterStudy LMS WordPress Plugin <= 3.2.5 - SQL Injection

The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5 due to insufficient escaping on the user supplied...

CVE-2026-57640

Subscriber Broken Access Control in MasterStudy LMS = 3.7.30 versions...

EUVD-2026-39755

Subscriber Broken Access Control in MasterStudy LMS = 3.7.30 versions...

CVE-2026-57640 WordPress MasterStudy LMS plugin <= 3.7.30 - Broken Access Control vulnerability

Subscriber Broken Access Control in MasterStudy LMS = 3.7.30 versions...

CVE-2026-57640

CVE-2026-57640 : A Broken Access Control vulnerability affects the WordPress plugin MasterStudy LMS up to version 3.7.30 . The issue is documented with a CVSS 3.1 base score of 4.3 (Medium) and describes restricted access conditions that could permit unauthorized exposure of resources. The availa...

WordPress MasterStudy LMS plugin <= 3.7.30 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by lagi bljr in WordPress Plugin MasterStudy LMS versions = 3.7.30...

MasterStudy LMS <2.7.6 - Improper Access Control

WordPress MasterStudy LMS plugin before 2.7.6 is susceptible to improper access control. The plugin does not validate some parameters given when registering a new account, which can allow an attacker to register as an admin, thus potentially being able to obtain sensitive information, modify data...

EUVD-2026-36976

Subscriber SQL Injection in MasterStudy LMS = 3.7.25 versions...

CVE-2026-40766

Subscriber SQL Injection in MasterStudy LMS = 3.7.25 versions...

CVE-2026-40766 WordPress MasterStudy LMS plugin <= 3.7.25 - SQL Injection vulnerability

Subscriber SQL Injection in MasterStudy LMS = 3.7.25 versions...

CVE-2026-40766

CVE-2026-40766 concerns the WordPress MasterStudy LMS plugin (versions

CVE-2025-64215

Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects MasterStudy LMS Pro: from n/a before 4.7.16...

CVE-2025-64215 WordPress MasterStudy LMS Pro plugin < 4.7.16 - Broken Access Control vulnerability

Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects MasterStudy LMS Pro: from n/a before 4.7.16...

EUVD-2025-210138

Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects MasterStudy LMS Pro: from n/a before 4.7.16...

CVE-2025-64215 WordPress MasterStudy LMS Pro plugin < 4.7.16 - Broken Access Control vulnerability

Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects MasterStudy LMS Pro: from n/a before 4.7.16...

CVE-2025-64215

CVE-2025-64215 affects WordPress MasterStudy LMS Pro (StylemixThemes) prior to 4.7.16. The issue is a Missing Authorization vulnerability causing Broken Access Control by allowing access to functionality not properly constrained by ACLs. The publicly cited source (Patchstack) lists the vulnerabil...

PT-2026-49226

Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects MasterStudy LMS Pro: from n/a before 4.7.16...

PT-2026-49411

Subscriber SQL Injection in MasterStudy LMS = 3.7.25 versions...

CVE-2026-4817

The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based Blind SQL Injection via the 'order' and 'orderby' parameters in the /lms/stm-lms/order/items REST API endpoint in versions up to and including 3.7.25. This is due to insufficient...

CVE-2026-8653

The MasterStudy LMS Pro Plus plugin for WordPress is vulnerable to generic SQL Injection via the 'columns' parameter in all versions up to, and including, 4.8.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...