CVE-2026-39524

Vulnerability

A broken access control vulnerability exists in the Masteriyo - LMS plugin for WordPress versions 2.1.5 and earlier. The plugin fails to properly enforce authorization checks, allowing unauthenticated attackers to bypass payment requirements for course enrollment and other paid features. This issue is classified as a missing authorization or nonce token check in a function that should require higher privileges.

Exploitation

An attacker with no authentication or network access to any WordPress site running a vulnerable version of the plugin can exploit this flaw. No special position or user interaction is required. The attacker sends a crafted request to the vulnerable endpoint, bypassing the payment verification step.

Impact

Successful exploitation allows an unauthenticated attacker to access paid course content, certificates, or other premium features without making any payment. This leads to financial loss for the site owner and undermines the LMS’s monetization model. The CIA impact is primarily on availability or integrity of the business logic (payment bypass), with low direct impact on data confidentiality.

Mitigation

The vulnerability is fixed in version 2.1.6 [1]. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, site owners should consult their hosting provider or web developer for assistance [1].