Authorization Bypass Vulnerability in Masteriyo LMS Plugin for WordPress
CVE-2026-5167

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Masteriyo Lms – Online Course Builder For Elearning, Lms & Education
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-5167?

The Masteriyo LMS plugin, designed for online learning platforms on WordPress, contains a vulnerability that allows unauthorized users to bypass authorization controls. This issue is rooted in the insufficient verification of webhook signatures within its handle_webhook() function. Attackers can exploit this flaw by sending malicious, unauthenticated requests to the webhook endpoint, which processes payloads without proper verification. Because the default configuration for the webhook_secret is an empty string, unauthorized individuals can submit fake Stripe webhook events that manipulate order statuses, enabling them to mark any course as paid and access premium content without proper authorization.

Affected Version(s)

Masteriyo LMS – Online Course Builder for eLearning, LMS & Education 0 <= 2.1.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/learning-manag...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 30, 2026

Credit

Md. Moniruzzaman Prodhan

CVE-2026-5167 Data

JSON