CVE-2026-8653

Vulnerability

The MasterStudy LMS Pro Plus plugin for WordPress is vulnerable to SQL Injection in all versions up to and including 4.8.20. This vulnerability exists due to insufficient escaping of the user-supplied columns parameter and a lack of sufficient preparation in the existing SQL query [1].

Exploitation

An authenticated attacker with instructor-level access or higher can exploit this vulnerability. The attacker needs to manipulate the columns parameter to append additional SQL queries to an existing one, thereby extracting sensitive information from the database [1].

Impact

Successful exploitation allows an attacker to extract sensitive information from the WordPress database. The scope of the compromise is limited to the data accessible through the SQL injection, potentially including user data or course content, depending on the database schema and attacker's query [1].

Mitigation

MasterStudy LMS Pro Plus versions up to and including 4.8.20 are affected. A patched version is available, which should be applied as soon as possible. Users are advised to update to the latest version to remediate this vulnerability. Information regarding specific patch versions and release dates can be found on the vendor's website [1].