Threat Entry Updated 2026-04-17

CVE-2026-4817 - Masterstudy Lms Learning Management System Plugin

The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based Blind SQL Injection via the 'order' and 'orderby' parameters in the /lms/stm-lms/order/items REST API endpoint in versions up to and including 3.7.25. This is due to insufficient input sanitization combined with a design flaw in the custom Query builder class that allows unquoted SQL injection in ORDER BY clauses. When the Query builder detects parentheses in the sort_by parameter, it treats the value as a SQL function and directly concatenates it into the…

PLUGIN Masterstudy Lms Learning Management System

CVE-2026-4817

MEDIUM CVSS 6.5 2026-04-17

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-01-22

CVE-2024-2106 - Masterstudy Lms Learning Management System Plugin

The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 3.2.10. This can allow unauthenticated attackers to extract sensitive data including all registered user's username and email addresses which can be used to help perform future attacks.

PLUGIN Masterstudy Lms Learning Management System

CVE-2024-2106

MEDIUM CVSS 5.3 2024-03-13

Risk Score

Open Full Technical Breakdown