CVE-2026-42743

Vulnerability

The Masteriyo LMS plugin for WordPress versions up to 2.1.8 contains an unauthenticated broken authentication vulnerability. This flaw allows an attacker to perform actions that should only be accessible to higher-privileged users, without needing any prior authentication or specific permissions [1].

Exploitation

The vulnerability can be exploited remotely without authentication or user interaction. It is actively used in mass-exploit campaigns targeting thousands of websites. An attacker can send specially crafted requests to bypass authentication checks and assume higher privileges [1].

Impact

Successful exploitation grants the attacker administrative-level access to the affected WordPress site. This can lead to full site compromise, including data theft, site defacement, and deployment of malicious payloads [1].

Mitigation

The vendor has released version 2.1.9 which addresses the vulnerability. Users are strongly advised to update to this version or later immediately. Patchstack also offers a mitigation rule that blocks attacks until the update is applied [1].