Time-based Blind SQL Injection in MasterStudy LMS WordPress Plugin

CVE-2026-4817

What is CVE-2026-4817?

The MasterStudy LMS WordPress Plugin, utilized for online courses and education, is subject to a Time-based Blind SQL Injection vulnerability through the 'order' and 'orderby' parameters within the /lms/stm-lms/order/items REST API endpoint in versions up to and including 3.7.25. This weakness arises from inadequate sanitization of inputs coupled with flaws in the custom Query builder class, permitting unquoted SQL injections in ORDER BY clauses. When parentheses are included in the sort_by parameter, the Query builder misinterprets the input as a SQL function, appending it directly within the ORDER BY clause without proper quoting. Although esc_sql() is utilized to escape quotes and backslashes, it fails to safeguard against ORDER BY injections where values themselves are unquoted, enabling authenticated attackers with minimal access rights to inject arbitrary SQL commands into the ORDER BY clause. This can lead to the exposure of critical information such as user credentials and session tokens through time-based blind SQL injection techniques.

References