[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHEKDEgnG704cO7FR8b0pcoqsx_KCMYW6aeeTknyCDxM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-40766","masterstudy-lms-wordpress-plugin-for-online-courses-and-education-authenticated-subscriber-sql-injection","MasterStudy LMS WordPress Plugin – for Online Courses and Education \u003C= 3.7.25 - Authenticated (Subscriber+) SQL Injection","The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.7.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","masterstudy-lms-learning-management-system",null,"\u003C=3.7.25","3.7.26","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-21 00:00:00","2026-04-30 14:58:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F93d8ed64-0b3e-4410-9166-6e7861d885ca?source=api-prod",10,[22,23,24,25,26,27,28,29],"_core\u002Fassets\u002Ficons\u002Fstyle.css","_core\u002Fincludes\u002Fuser_manager\u002FUserManager.Course.php","_core\u002Finit.php","_core\u002Flibraries\u002Fnuxy\u002FCHANGELOG.md","_core\u002Flibraries\u002Fnuxy\u002FNUXY.php","_core\u002Flibraries\u002Fnuxy\u002Fmetaboxes\u002Fassets\u002Fjs\u002Fsearch-by-settings.js","_core\u002Flms\u002Fclasses\u002Fcomments.php","_core\u002Flms\u002Fclasses\u002Femail_free_triggers.php","researched",false,3,"This research plan analyzes a Subscriber-level SQL injection vulnerability in the MasterStudy LMS WordPress Plugin (\u003C= 3.7.25).\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the `STM_LMS_User_Manager_Course::students` method, which handles the `stm_lms_dashboard_get_course_students` AJAX action. While the handler explicitly casts the `course_id` parameter to an integer in the local scope, it passes this value to `stm_lms_get_course_users()`. The vulnerability occurs because the underlying function or the queries it triggers either:\n1.  Access the global `$_GET['course_id']` (or other parameters) directly without using the sanitized local variable.\n2.  Append unescaped user-supplied parameters (like sorting or filtering parameters) to the SQL query string.\n\nThis allows an authenticated user (Subscriber+) to inject SQL commands to extract sensitive data via UNION-based or Time-based techniques.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `stm_lms_dashboard_get_course_students`\n*   **Vulnerable Parameter:** `course_id` (primary candidate) or additional query parameters like `order`, `orderby`, or `search` consumed by the underlying data fetching logic.\n*   **Authentication:** Required (Subscriber or above).\n*   **Nonce:** Required. The nonce action is `stm_lms","The MasterStudy LMS plugin is vulnerable to an authenticated SQL injection via the 'stm_lms_dashboard_get_course_students' AJAX action. This occurs because underlying data-fetching functions fail to properly prepare SQL queries or allow unescaped parameters (such as sorting or search filters) to be concatenated into queries, allowing Subscriber-level users to extract sensitive information.","\u002F\u002F _core\u002Fincludes\u002Fuser_manager\u002FUserManager.Course.php line 14\n\tpublic function students() {\n\t\tcheck_ajax_referer( 'stm_lms_dashboard_get_course_students', 'nonce' );\n\n\t\t$course_id = intval( $_GET['course_id'] );\n\n\t\t$data               = array_reverse( array_map( array( $this, 'map_students' ), stm_lms_get_course_users( $course_id ) ) );","--- a\u002F_core\u002Fincludes\u002Fuser_manager\u002FUserManager.Course.php\n+++ b\u002F_core\u002Fincludes\u002Fuser_manager\u002FUserManager.Course.php\n@@ -14,6 +14,10 @@\n \tpublic function students() {\n \t\tcheck_ajax_referer( 'stm_lms_dashboard_get_course_students', 'nonce' );\n \n+\t\tif ( ! current_user_can( 'publish_courses' ) ) {\n+\t\t\twp_die();\n+\t\t}\n+\n \t\t$course_id = intval( $_GET['course_id'] );\n \n \t\t$data               = array_reverse( array_map( array( $this, 'map_students' ), stm_lms_get_course_users( $course_id ) ) );","1. Log in to the WordPress site with Subscriber-level privileges.\n2. Obtain a valid AJAX nonce for the 'stm_lms_dashboard_get_course_students' action (often found in localized JavaScript variables on the dashboard).\n3. Send a GET request to \u002Fwp-admin\u002Fadmin-ajax.php with the following parameters:\n   - action: stm_lms_dashboard_get_course_students\n   - course_id: A valid course ID\n   - nonce: The captured security nonce\n   - Additional unescaped parameters (e.g., 'search', 'orderby', or a raw injection into 'course_id' if accessed via $_GET directly in sub-functions) containing a SQL payload like ' UNION SELECT 1,2,3,user_pass FROM wp_users--'.\n4. Analyze the JSON response to retrieve extracted database information.","gemini-3-flash-preview","2026-05-04 19:08:47","2026-05-04 19:09:33",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.7.25","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmasterstudy-lms-learning-management-system\u002Ftags\u002F3.7.25","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmasterstudy-lms-learning-management-system.3.7.25.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmasterstudy-lms-learning-management-system\u002Ftags\u002F3.7.26","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmasterstudy-lms-learning-management-system.3.7.26.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmasterstudy-lms-learning-management-system\u002Ftags"]