CVE-2026-49111

Vulnerability

The Masteriyo – LMS plugin for WordPress, version 2.2.0 and earlier, suffers from an Incorrect Privilege Assignment vulnerability. The flaw resides in the plugin’s role and capability handling, allowing unauthorized elevation of user roles. No special configuration is required beyond having the plugin installed and active. [1]

Exploitation

An attacker with low-privileged access (e.g., a subscriber or customer role) can exploit this vulnerability by crafting specially crafted HTTP requests. The attack does not require any prior authentication beyond the low-privileged account, and the vector is network-based. The exploit is considered highly dangerous and is expected to be used in mass campaigns targeting thousands of sites. [1]

Impact

Successful exploitation allows the attacker to escalate their privileges to an administrative level, leading to full compromise of the WordPress site. The attacker can then install malicious plugins, modify content, exfiltrate data, or pivot to further attacks. The CVSS v3 score is 8.8, indicating high severity. [1]

Mitigation

The vulnerability is patched in version 2.2.1 and later. Administrators should update the plugin immediately. If updating is not possible, Patchstack has issued a mitigation rule to block attacks until the plugin is updated. There is no other known workaround. The vulnerability is not yet listed on the KEV catalog as of the publication date. [1]