Unauthorized Data Modification in MasterStudy LMS Plugin for WordPress
CVE-2025-13766

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Masterstudy Lms WordPress Plugin – For Online Courses And Education
Vendor: CVE Published:; 6 January 2026

What is CVE-2025-13766?

The MasterStudy LMS plugin, designed for online courses and education on WordPress, is susceptible to unauthorized data manipulation. Due to inadequate capability checks on several REST API endpoints, users with Subscriber-level permissions and higher can exploit this vulnerability. This allows them to upload or erase arbitrary media files, modify or remove posts, and manage course templates without proper authorization. Ensuring users have the correct permissions is crucial to mitigate these risks.

Affected Version(s)

MasterStudy LMS WordPress Plugin – for Online Courses and Education * <= 3.7.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3422825/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 6, 2026
Vulnerability Reserved
Nov 27, 2025

Credit

thinnawarth mathuros

JSON