CVE-2025-32237

Vulnerability

A missing authorization vulnerability exists in the WordPress plugin MasterStudy LMS for Online Courses and Education (masterstudy-lms-learning-management-system) versions up to and including 3.5.28 [1]. The flaw lies in how access control security levels are configured, allowing endpoints to be reached without proper permission checks. This potentially exposes sensitive functionality intended only for authenticated users with specific roles.

Exploitation

An unauthenticated attacker with no prior privileges can exploit this vulnerability by sending crafted HTTP requests to the affected plugin's endpoints [1]. No user interaction is required beyond the attacker's actions, as the missing authorization check does not require any session or authentication token to be present.

Impact

Successful exploitation allows an attacker to access functionality or data that should be protected by access control restrictions. This could lead to unauthorized information disclosure or modification of plugin settings. The exact impact depends on which unsecured actions are reachable, but the vulnerability is classified as medium severity (CVSS 4.3) by the reporter.

Mitigation

As of April 2025, a patched version 3.7.32 is available and was last updated on 2026-05-19 [1]. Users should upgrade to the latest version immediately. No workarounds are documented in the available references. The plugin remains actively maintained, and users running version 3.5.28 or earlier are vulnerable [1].