[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fttlKBh5tKf-ElXttNISIsMhvL7R4h2lGe8jiu0K3vdo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-42743","masteriyo-lms-lms-course-builder-quizzes-certificates-missing-authorization","Masteriyo LMS – LMS Course Builder, Quizzes & Certificates \u003C= 2.1.8 - Missing Authorization","The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.1.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.","learning-management-system",null,"\u003C=2.1.8","2.1.9","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-28 00:00:00","2026-06-02 11:47:38",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4f76d908-91e7-4933-afab-9a7bfe18e088?source=api-prod",5,[22,23,24,25,26,27,28,29],"addons\u002Fbricks-integration\u002FBricksIntegrationAddon.php","addons\u002Felementor-integration\u002FElementorIntegrationAddon.php","addons\u002Fgoogle-meet\u002FRestApi\u002FGoogleMeetController.php","addons\u002Flemon-squeezy-integration\u002FLemonSqueezyIntegrationAddon.php","addons\u002Flemon-squeezy-integration\u002Fassets\u002Fjs\u002Fbackend\u002Fcomponents\u002FLemonSqueezyIntegrationSetting.tsx","assets\u002Fcss\u002Fblock.css","assets\u002Fcss\u002Fpublic.css","assets\u002Fjs\u002Fbuild\u002Fmasteriyo-backend.asset.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-42743\n\n## 1. Vulnerability Summary\nThe **Masteriyo LMS** plugin (up to and including version 2.1.8) contains a **Missing Authorization** vulnerability. Specifically, several integration addons (Google Meet, Lemon Squeezy, Bricks, and Elementor) register actions or REST API endpoints that either lack capability checks or fail to properly verify the identity\u002Fpermissions of the requester. \n\nThe most technical and impactful manifestation is likely in the **Lemon Squeezy Integration Addon**, where a webhook handler is registered via `wp_ajax_nopriv_masteriyo_lemon_squeezy_webhook`. If this handler processes order data (such as enrolling users in courses) without verifying the Lemon Squeezy signature, an unauthenticated attacker can forge payment notifications to gain unauthorized access to paid courses.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php?action=masteriyo_lemon_squeezy_webhook`\n- **Alternative Endpoint:** REST API routes under `wp-json\u002Fmasteriyo\u002Fv1\u002F` (e.g., `google-meet`, `settings`) if parent controllers lack default authorization.\n- **HTTP Method:** `POST`\n- **Authentication:** None (unauthenticated).\n- **Payload Type:** JSON (mimicking a Lemon Squeezy webhook event).\n- **Preconditions:** The Lemon Squeezy integration must be active (or the attacker must trigger","Masteriyo LMS is vulnerable to unauthorized access due to missing and improper capability checks across several integrations. Unauthenticated attackers can spoof Lemon Squeezy payment webhooks to gain access to paid courses, while logged-in users can bypass restrictions on Google Meet content if their account role is not specifically identified as 'student'.","\u002F* addons\u002Flemon-squeezy-integration\u002FLemonSqueezyIntegrationAddon.php *\u002F\npublic function handle_webhook() {\n    try {\n        $payload   = file_get_contents( 'php:\u002F\u002Finput' );\n        $signature = $_SERVER['HTTP_X_SIGNATURE'] ?? '';\n        $event     = json_decode( $payload, true );\n\n        if ( is_null( $event ) ) {\n            throw new Exception( 'Event is null.', 400 );\n        }\n\n        \u002F\u002F Verify signature.\n        $secret = Setting::get_webhook_secret();\n        $hash   = hash_hmac( 'sha256', $payload, $secret );\n        if ( ! hash_equals( $hash, $signature ) ) {\n            masteriyo_get_logger()->error( 'Invalid signature', array( 'source' => 'payment-lemon-squeezy' ) );\n            throw new Exception( 'Invalid signature.', 403 );\n        }\n\n---\n\n\u002F* addons\u002Fgoogle-meet\u002FRestApi\u002FGoogleMeetController.php *\u002F\n\u002F\u002F (line 305 approx.)\nif ( is_user_logged_in() && masteriyo_is_current_user_student() && ! masteriyo_can_start_course( $course ) ) {\n    return new \\WP_Error(\n        'masteriyo_rest_cannot_start_course',\n        __( 'Sorry, you have not bought the course.', 'learning-management-system' ),\n        array(\n            'status' => rest_authorization_required_code(),\n        )\n    );\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flearning-management-system\u002F2.1.8\u002Faddons\u002Fgoogle-meet\u002FRestApi\u002FGoogleMeetController.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flearning-management-system\u002F2.1.9\u002Faddons\u002Fgoogle-meet\u002FRestApi\u002FGoogleMeetController.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flearning-management-system\u002F2.1.8\u002Faddons\u002Fgoogle-meet\u002FRestApi\u002FGoogleMeetController.php\t2025-12-16 16:25:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flearning-management-system\u002F2.1.9\u002Faddons\u002Fgoogle-meet\u002FRestApi\u002FGoogleMeetController.php\t2026-05-04 17:27:34.000000000 +0000\n@@ -305,7 +305,7 @@\n \t\t\t\treturn true;\n \t\t\t}\n \n-\t\t\tif ( is_user_logged_in() && masteriyo_is_current_user_student() && ! masteriyo_can_start_course( $course ) ) {\n+\t\t\tif ( is_user_logged_in() && ! masteriyo_is_current_user_admin() && ! masteriyo_is_current_user_instructor() && ! masteriyo_can_start_course( $course ) ) {\n \t\t\t\treturn new \\WP_Error(\n \t\t\t\t\t'masteriyo_rest_cannot_start_course',\n \t\t\t\t\t__( 'Sorry, you have not bought the course.', 'learning-management-system' ),\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flearning-management-system\u002F2.1.8\u002Faddons\u002Flemon-squeezy-integration\u002FLemonSqueezyIntegrationAddon.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flearning-management-system\u002F2.1.9\u002Faddons\u002Flemon-squeezy-integration\u002FLemonSqueezyIntegrationAddon.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flearning-management-system\u002F2.1.8\u002Faddons\u002Flemon-squeezy-integration\u002FLemonSqueezyIntegrationAddon.php\t2025-01-02 13:28:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flearning-management-system\u002F2.1.9\u002Faddons\u002Flemon-squeezy-integration\u002FLemonSqueezyIntegrationAddon.php\t2026-05-04 17:27:34.000000000 +0000\n@@ -343,9 +373,21 @@\n \t\t\t\tthrow new Exception( 'Event is null.', 400 );\n \t\t\t}\n \n+\t\t\tif ( empty( $signature ) ) {\n+\t\t\t\tmasteriyo_get_logger()->error( 'Missing signature header', array( 'source' => 'payment-lemon-squeezy' ) );\n+\t\t\t\tthrow new Exception( 'Missing signature.', 403 );\n+\t\t\t}\n+\n \t\t\t\u002F\u002F Verify signature.\n \t\t\t$secret = Setting::get_webhook_secret();\n-\t\t\t$hash   = hash_hmac( 'sha256', $payload, $secret );\n+\n+\t\t\t\u002F\u002F Reject when no secret is configured — an empty key lets anyone forge a valid HMAC.\n+\t\t\tif ( empty( $secret ) ) {\n+\t\t\t\tmasteriyo_get_logger()->error( 'Webhook secret is not configured', array( 'source' => 'payment-lemon-squeezy' ) );\n+\t\t\t\tthrow new Exception( 'Webhook secret is not configured.', 403 );\n+\t\t\t}\n+\n+\t\t\t$hash = hash_hmac( 'sha256', $payload, $secret );\n \t\t\tif ( ! hash_equals( $hash, $signature ) ) {\n \t\t\t\tmasteriyo_get_logger()->error( 'Invalid signature', array( 'source' => 'payment-lemon-squeezy' ) );\n \t\t\t\tthrow new Exception( 'Invalid signature.', 403 );","The exploit targets the Lemon Squeezy webhook handler. An unauthenticated attacker sends a POST request to `wp-admin\u002Fadmin-ajax.php?action=masteriyo_lemon_squeezy_webhook` with a JSON payload mimicking a successful purchase event (e.g., `order_created`). Because the plugin fails to enforce a configured 'Webhook Secret' and accepts empty signatures, an attacker can sign the payload using an empty key (`hash_hmac('sha256', $payload, '')`) and provide this value in the `X-Signature` header. The plugin validates this signature against the default empty secret, matches it, and processes the fake payment to enroll the attacker in any course.","gemini-3-flash-preview","2026-06-04 16:18:35","2026-06-04 16:19:32",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.1.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flearning-management-system\u002Ftags\u002F2.1.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flearning-management-system.2.1.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flearning-management-system\u002Ftags\u002F2.1.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flearning-management-system.2.1.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flearning-management-system\u002Ftags"]