VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 22, 2023· Updated Apr 28, 2026

WordPress MasterStudy LMS Plugin <= 3.0.8 is vulnerable to Broken Access Control

CVE-2023-35093

Description

Broken Access Control vulnerability in StylemixThemes MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin <= 3.0.8 versions allows any logged-in users, such as subscribers to view the "Orders" of the plugin and get the data related to the order like email, username, and more.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Broken access control in MasterStudy LMS <=3.0.8 lets any logged-in user view other users' order data, exposing email, username, and more.

Vulnerability

The MasterStudy LMS WordPress Plugin versions prior to and including 3.0.8 contain a broken access control vulnerability in the order management functionality. The plugin fails to properly enforce authorization checks, allowing any authenticated user (including subscribers) to access the "Orders" endpoint and retrieve sensitive order data belonging to other users [1].

Exploitation

An attacker only needs to be logged into the WordPress site as any user (e.g., a subscriber account) and navigate to the plugin's orders interface or directly call the associated REST endpoint. No elevated privileges are required, and no user interaction from the victim is needed [1].

Impact

Successful exploitation leads to unauthorized disclosure of sensitive information, including the email address and username of users associated with orders, as well as other order-related metadata. This information leakage can facilitate further targeted attacks, such as phishing or credential stuffing [1].

Mitigation

The vulnerability is fixed in version 3.0.9 and later. Users are strongly advised to update to the latest version (3.7.32 as of the reference date) immediately. No workaround is provided for versions prior to 3.0.8 [1].

References
  1. MasterStudy LMS WordPress Plugin – for Online Courses and Education

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • WordPress/MasterStudy LMSllm-fuzzy
    Range: <=3.0.8
  • StylemixThemes/MasterStudy LMS WordPress Plugin – for Online Courses and Educationv5
    Range: n/a

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.