CVE-2026-40766

Vulnerability

A SQL injection vulnerability exists in the WordPress plugin MasterStudy LMS in versions 3.7.25 and earlier. The vulnerability is triggered within the subscriber functionality, meaning the injectable parameter is reachable through standard request data without any special configuration beyond having the plugin installed [1].

Exploitation

An attacker does not require authentication or any special network position; the injection can be performed over HTTP by sending crafted input to the vulnerable subscriber-related endpoint. No user interaction is needed. The attack can be automated and is expected to be used in mass-exploit campaigns targeting thousands of sites simultaneously [1].

Impact

Successful exploitation allows a malicious actor to directly interact with the database, enabling arbitrary reading and potentially modification of sensitive data, including user credentials, personal information, and site content. The CVSS score of 8.5 reflects high impact on confidentiality and integrity [1].

Mitigation

The vulnerability is fixed in version 3.7.26, released on or before the public disclosure date. Users are strongly advised to update immediately. A mitigation rule is available from Patchstack to block attacks until the update can be applied. No workaround beyond updating or applying a WAF rule has been published [1].