WP-Safety
CVE-2026-40766

MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.7.25 - Authenticated (Subscriber+) SQL Injection

mediumImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
6.5
CVSS Score
6.5
CVSS Score
medium
Severity
3.7.26
Patched in
10d
Time to patch

Description

The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.7.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=3.7.25
PublishedApril 21, 2026
Last updatedApril 30, 2026
Affected pluginmasterstudy-lms-learning-management-system

What Changed in the Fix

Changes introduced in v3.7.26

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v3.7.25
Browse source Download .zip
Patched v3.7.26
Browse source Download .zip
Research Plan
Unverified

This research plan analyzes a Subscriber-level SQL injection vulnerability in the MasterStudy LMS WordPress Plugin (<= 3.7.25). ### 1. Vulnerability Summary The vulnerability exists in the `STM_LMS_User_Manager_Course::students` method, which handles the `stm_lms_dashboard_get_course_students` AJAX…

Show full research plan

This research plan analyzes a Subscriber-level SQL injection vulnerability in the MasterStudy LMS WordPress Plugin (<= 3.7.25).

1. Vulnerability Summary

The vulnerability exists in the STM_LMS_User_Manager_Course::students method, which handles the stm_lms_dashboard_get_course_students AJAX action. While the handler explicitly casts the course_id parameter to an integer in the local scope, it passes this value to stm_lms_get_course_users(). The vulnerability occurs because the underlying function or the queries it triggers either:

  1. Access the global $_GET['course_id'] (or other parameters) directly without using the sanitized local variable.
  2. Append unescaped user-supplied parameters (like sorting or filtering parameters) to the SQL query string.

This allows an authenticated user (Subscriber+) to inject SQL commands to extract sensitive data via UNION-based or Time-based techniques.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: stm_lms_dashboard_get_course_students
  • Vulnerable Parameter: course_id (primary candidate) or additional query parameters like order, orderby, or search consumed by the underlying data fetching logic.
  • Authentication: Required (Subscriber or above).
  • Nonce: Required. The nonce action is `stm_lms
Research Findings
Static analysis — not yet PoC-verified

Summary

The MasterStudy LMS plugin is vulnerable to an authenticated SQL injection via the 'stm_lms_dashboard_get_course_students' AJAX action. This occurs because underlying data-fetching functions fail to properly prepare SQL queries or allow unescaped parameters (such as sorting or search filters) to be concatenated into queries, allowing Subscriber-level users to extract sensitive information.

Vulnerable Code

// _core/includes/user_manager/UserManager.Course.php line 14
	public function students() {
		check_ajax_referer( 'stm_lms_dashboard_get_course_students', 'nonce' );

		$course_id = intval( $_GET['course_id'] );

		$data               = array_reverse( array_map( array( $this, 'map_students' ), stm_lms_get_course_users( $course_id ) ) );

Security Fix

--- a/_core/includes/user_manager/UserManager.Course.php
+++ b/_core/includes/user_manager/UserManager.Course.php
@@ -14,6 +14,10 @@
 	public function students() {
 		check_ajax_referer( 'stm_lms_dashboard_get_course_students', 'nonce' );
 
+		if ( ! current_user_can( 'publish_courses' ) ) {
+			wp_die();
+		}
+
 		$course_id = intval( $_GET['course_id'] );
 
 		$data               = array_reverse( array_map( array( $this, 'map_students' ), stm_lms_get_course_users( $course_id ) ) );

Exploit Outline

1. Log in to the WordPress site with Subscriber-level privileges. 2. Obtain a valid AJAX nonce for the 'stm_lms_dashboard_get_course_students' action (often found in localized JavaScript variables on the dashboard). 3. Send a GET request to /wp-admin/admin-ajax.php with the following parameters: - action: stm_lms_dashboard_get_course_students - course_id: A valid course ID - nonce: The captured security nonce - Additional unescaped parameters (e.g., 'search', 'orderby', or a raw injection into 'course_id' if accessed via $_GET directly in sub-functions) containing a SQL payload like ' UNION SELECT 1,2,3,user_pass FROM wp_users--'. 4. Analyze the JSON response to retrieve extracted database information.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/93d8ed64-0b3e-4410-9166-6e7861d885ca?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database