MasterStudy LMS < 3.0.18 - Unauthenticated Instructor Account Creation
Description
The MasterStudy LMS WordPress Plugin WordPress plugin before 3.0.18 does not have proper checks in place during registration allowing anyone to register on the site as an instructor. They can then add courses and/or posts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MasterStudy LMS WordPress plugin before 3.0.18 allows unauthenticated users to register as instructors, enabling unauthorized course and post creation.
Vulnerability
The MasterStudy LMS WordPress plugin (versions before 3.0.18) lacks proper authorization checks during the user registration process. This allows any unauthenticated visitor to register on the site with the "instructor" role, bypassing intended restrictions. The affected plugin is masterstudy-lms-learning-management-system [1].
Exploitation
An attacker does not need any prior authentication or special privileges. By simply visiting the registration page and submitting a registration request with the appropriate parameters (e.g., selecting the instructor role), they can create an instructor account. No additional user interaction is required beyond the attacker's own actions [1].
Impact
Upon successful registration as an instructor, the attacker gains the ability to create and manage courses and posts within the WordPress site. This leads to unauthorized content creation and potential privilege escalation, as the instructor role typically has elevated capabilities compared to a subscriber. The CVSS score is 6.5 (medium) [1].
Mitigation
The vulnerability is fixed in version 3.0.18 of the MasterStudy LMS plugin. Users should update to this version or later immediately. No workarounds are provided in the available references [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: < 3.0.18
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization checks in the user registration flow allow any unauthenticated user to register with the Instructor role."
Attack vector
An unauthenticated attacker visits the WordPress registration page while the MasterStudy LMS plugin is active. Because the plugin does not enforce proper role checks during registration [ref_id=1], the attacker can select or be assigned the Instructor role without any verification. Once registered as an Instructor, the attacker gains the ability to create courses and/or posts on the site [ref_id=1]. No authentication or prior access is required, making this a low-complexity, network-based attack.
Affected code
The advisory does not specify exact file paths or function names. The vulnerability exists in the registration logic of the MasterStudy LMS plugin for WordPress, versions before 3.0.18 [ref_id=1]. The plugin fails to include proper authorization checks when processing new user registrations, allowing the Instructor role to be assigned without verification.
What the fix does
The advisory states the vulnerability is fixed in version 3.0.18 of the MasterStudy LMS plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds proper capability checks or role validation during the registration process to prevent unauthenticated users from being assigned the Instructor role. Users should update to version 3.0.18 or later to remediate the issue.
Preconditions
- configThe MasterStudy LMS plugin must be installed and active on a WordPress site.
- configWordPress user registration must be enabled (or the plugin provides its own registration endpoint).
- authNo authentication is required; the attacker can be unauthenticated.
- networkThe attacker must have network access to the WordPress site's registration page or API endpoint.
Reproduction
Navigate to the WordPress registration page (e.g., /wp-login.php?action=register) on a site running MasterStudy LMS before version 3.0.18. Complete the registration form, selecting or being automatically assigned the Instructor role. After submitting, log in with the created account and verify that Instructor-level capabilities (creating courses and posts) are available [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- wpscan.com/vulnerability/cb3173ec-9891-4bd8-9d05-24fe805b5235mitreexploitvdb-entrytechnical-description
- packetstormsecurity.com/files/175007/WordPress-Masterstudy-LMS-3.0.17-Account-Creation.htmlmitre
News mentions
0No linked articles in our index yet.