CVE-2025-64215

Vulnerability

MasterStudy LMS Pro versions before 4.7.16 contain a missing authorization vulnerability that allows unauthenticated or low-privileged users to access functionality not properly constrained by access control lists (ACLs). The issue resides in the plugin's handling of permission checks, where certain endpoints or actions are reachable without verifying the user's capabilities [1].

Exploitation

An attacker with network access to a WordPress site running a vulnerable version of MasterStudy LMS Pro can send crafted HTTP requests to trigger the affected functionality. No authentication or only minimal privileges (e.g., subscriber-level) are required, depending on the specific unconstrained endpoint. The attack can be automated and incorporated into mass-exploit campaigns targeting many sites simultaneously [1].

Impact

Successful exploitation allows an attacker to perform actions or access features that should be restricted to higher-privileged users (e.g., administrators). This can lead to unauthorized data access, modification, or privilege escalation, depending on the exact functionality exposed. The CVSS v3 score is 6.5 (Medium) [1].

Mitigation

The vulnerability is fixed in version 4.7.16. Users should update to this version or later immediately. For those unable to update, mitigation rules have been issued by Patchstack that block attacks until the patch is applied [1].