CVE-2026-49111

Masteriyo LMS – LMS Course Builder, Quizzes & Certificates <= 2.2.0 - Authenticated (Subscriber+) Privilege Escalation

highIncorrect Privilege Assignment
8.8
CVSS Score
8.8
CVSS Score
high
Severity
2.2.1
Patched in
11d
Time to patch

Description

The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=2.2.0
PublishedJune 8, 2026
Last updatedJune 18, 2026

What Changed in the Fix

Changes introduced in v2.2.1

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan or actionable payloads for this specific vulnerability. Providing instructions for the functional exploitation of software is against my security policies. However, I can provide general information about the nature of p…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan or actionable payloads for this specific vulnerability. Providing instructions for the functional exploitation of software is against my security policies.

However, I can provide general information about the nature of privilege escalation vulnerabilities in WordPress plugins and how they are typically remediated.

Privilege Escalation in WordPress Plugins

Privilege escalation vulnerabilities (Incorrect Privilege Assignment) often occur when a plugin registers an entry point—such as a WordPress AJAX action, a REST API route, or an admin-menu page—but fails to implement proper authorization checks.

Common Causes

  1. Missing Capability Checks: The most frequent cause is neglecting to call current_user_can() within the handler function. If a function performs sensitive operations (like updating user roles or settings) but only checks for a valid login (is_user_logged_in()), any authenticated user, including those with Subscriber-level access, can trigger it.
  2. Improper Nonce Validation: While nonces are primarily designed for CSRF protection, they are sometimes mistakenly used as the sole security measure. If a nonce is exposed to all logged-in users, it does not substitute for a capability check.
  3. Weak Capability Requirements: Using a capability that is too broad (e.g., read) instead of a more restrictive one (e.g., manage_options) for administrative functions.
  4. Flawed Logic in Handlers: Sometimes authorization is checked for some parameters but not others, allowing an attacker to manipulate fields they shouldn't have access to.

General Defense and Remediation

To secure WordPress plugins against privilege escalation:

  • Implement Robust Authorization: Every function that performs a sensitive action must explicitly check if the current user has the necessary permissions using current_user_can( 'specific_capability' ).
  • Use the Principle of Least Privilege: Assign the most restrictive capability possible for any given task.
  • Combine Nonces with Capability Checks: Use nonces to prevent CSRF and capability checks to ensure authorization.
  • Validate and Sanitize All Input: Ensure that even if a user is authorized, the data they provide is strictly validated against expected formats and values.

For information on how to patch or defend against specific vulnerabilities, I recommend consulting the official WordPress Plugin Handbook or security resources like the WPScan Vulnerability Database and NIST's National Vulnerability Database (NVD). To ensure your site is protected against CVE-2026-49111, you should update the Masteriyo LMS plugin to version 2.2.1 or later.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Masteriyo LMS plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.2.0. This flaw allows authenticated attackers with subscriber-level access to elevate their privileges to a higher level, potentially gaining administrative control of the site, due to missing authorization checks on sensitive functions.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/learning-management-system/2.2.0/addons/certificate/PDF/BlockBuilders/MasteriyoCourseCompletionDate.php /home/deploy/wp-safety.org/data/plugin-versions/learning-management-system/2.2.1/addons/certificate/PDF/BlockBuilders/MasteriyoCourseCompletionDate.php
--- /home/deploy/wp-safety.org/data/plugin-versions/learning-management-system/2.2.0/addons/certificate/PDF/BlockBuilders/MasteriyoCourseCompletionDate.php	2025-04-08 13:49:12.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/learning-management-system/2.2.1/addons/certificate/PDF/BlockBuilders/MasteriyoCourseCompletionDate.php	2026-05-20 11:33:30.000000000 +0000
@@ -51,6 +51,18 @@
 			}
 		}
 
+		/**
+		 * Filters the course completion date before using in certificate.
+		 *
+		 * @since x.x.x
+		 *
+		 * @param string $completion_date Formatted completion date.
+		 * @param string $date_format Date format string.
+		 * @param int $student_id Student user ID.
+		 * @param int $course_id Course ID.
+		 */
+		$completion_date = apply_filters( 'masteriyo_certificate_course_completion_date', $completion_date, $date_format, $student_id, $course_id );
+
 		$html  = str_replace( '{{masteriyo_course_completion_date}}', $completion_date, $block_data['innerHTML'] );
 		$html .= '<style>' . masteriyo_array_get( $block_data, 'attrs.blockCSS', '' ) . '</style>';
 		return $html;
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/learning-management-system/2.2.0/addons/certificate/PDF/BlockBuilders/MasteriyoCourseTitle.php /home/deploy/wp-safety.org/data/plugin-versions/learning-management-system/2.2.1/addons/certificate/PDF/BlockBuilders/MasteriyoCourseTitle.php
--- /home/deploy/wp-safety.org/data/plugin-versions/learning-management-system/2.2.0/addons/certificate/PDF/BlockBuilders/MasteriyoCourseTitle.php	2025-04-08 13:49:12.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/learning-management-system/2.2.1/addons/certificate/PDF/BlockBuilders/MasteriyoCourseTitle.php	2026-05-20 11:33:30.000000000 +0000
@@ -29,6 +29,16 @@
 			$course_title = $course->get_title();
 		}
 
+		/**
+		 * Filters the course title before using in certificate.
+		 *
+		 * @since x.x.x
+		 *
+		 * @param string $course_title Course title.
+		 * @param \Masteriyo\Models\Course|null $course Course object.
+		 */
+		$course_title = apply_filters( 'masteriyo_certificate_course_title', $course_title, $course );
+
 		$html  = $block_data['innerHTML'];
 		$html  = str_replace( '{{masteriyo_course_title}}', $course_title, $html );
 		$html .= '<style>' . masteriyo_array_get( $block_data, 'attrs.blockCSS', '' ) . '</style>';

Exploit Outline

To exploit this privilege escalation, an attacker first authenticates as a low-privileged user (e.g., a Subscriber). They identify a vulnerable backend endpoint, such as a WordPress AJAX action or a REST API route (typically one used for updating user metadata or plugin settings), that fails to implement proper authorization checks via current_user_can(). The attacker then sends a crafted POST or PUT request to this endpoint containing a payload designed to modify their user role to 'administrator' or grant themselves administrative capabilities. Because the plugin lacks sufficient capability validation, the server processes the request and elevates the attacker's privileges.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.