CVE-2025-13766

MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.7.6 Missing Authorization to Authenticated (Subscriber+) Posts and Media Creation, Modification and Deletion

mediumMissing Authorization
5.4
CVSS Score
5.4
CVSS Score
medium
Severity
3.7.7
Patched in
1d
Time to patch

Description

The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.7.6
PublishedJanuary 5, 2026
Last updatedJanuary 6, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-13766 MasterStudy LMS ## 1. Vulnerability Summary The **MasterStudy LMS** plugin for WordPress (up to and including version 3.7.6) contains a missing authorization vulnerability in several of its custom REST API endpoints. While these endpoints are intended fo…

Show full research plan

Exploitation Research Plan: CVE-2025-13766 MasterStudy LMS

1. Vulnerability Summary

The MasterStudy LMS plugin for WordPress (up to and including version 3.7.6) contains a missing authorization vulnerability in several of its custom REST API endpoints. While these endpoints are intended for instructors or administrators, they only verify that a user is authenticated, failing to check for specific capabilities (e.g., edit_posts or upload_files).

This allows any authenticated user—specifically those with Subscriber roles—to perform sensitive actions including uploading/deleting media, modifying or deleting posts (courses, lessons, etc.), and managing course templates.

2. Attack Vector Analysis

  • Endpoint Namespace: stm-lms/v1 (inferred from plugin slug and standard structure).
  • Vulnerable Endpoints (Inferred):
    • POST /wp-json/stm-lms/v1/media (Media Upload)
    • DELETE /wp-json/stm-lms/v1/media/(?P<id>[\d]+) (Media Deletion)
    • POST /wp-json/stm-lms/v1/editor/save (Post Modification)
    • DELETE /wp-json/stm-lms/v1/post/(?P<id>[\d]+) (Post Deletion)
  • Authentication: Authenticated, Subscriber-level or higher.
  • Preconditions:
    1. Plugin version <= 3.7.6 installed and active.
    2. A valid Subscriber account is required.
    3. REST API must be enabled (default in WordPress).

3. Code Flow

  1. Route Registration: The plugin registers REST routes during rest_api_init.
  2. Missing Check: In register_rest_route(), the permission_callback likely uses is_user_logged_in() or a custom function that returns true for all authenticated users instead of checking for specific capabilities like current_user_can('manage_options').
  3. Handler Execution: The handler function (e.g., STM_LMS_Media::upload_media) executes the requested action (e.g., wp_insert_attachment or wp_delete_post) based on user-supplied IDs or file data without verifying if the authenticated user owns the resource or has permission to modify it.

4. Nonce Acquisition Strategy

The WordPress REST API requires a _wpnonce (for the wp_rest action) in the X-WP-Nonce header for authenticated requests.

  1. Subscriber Login: Log in as the Subscriber user using the browser_navigate and browser_type tools.
  2. Identify Localization: MasterStudy LMS typically localizes its data into a global JavaScript object named stm_lms_vars.
  3. Extraction:
    • Navigate to the LMS Dashboard or any page where the plugin scripts are loaded.
    • Use browser_eval to extract the nonce:
      window.stm_lms_vars?.nonce || window.wpApiSettings?.nonce
      
    • Alternatively, check the page source for the wp-json link or the X-WP-Nonce in the wp_localize_script output.

5. Exploitation Strategy

Attack A: Unauthorized Media Upload

  1. Login: Authenticate as a Subscriber.
  2. Get Nonce: Extract the wp_rest nonce as described above.
  3. Request:
    • Method: POST
    • URL: /wp-json/stm-lms/v1/media (inferred endpoint)
    • Headers:
      • X-WP-Nonce: [NONCE]
      • Content-Type: multipart/form-data
    • Payload: A file parameter named file containing an image or document.
  4. Expected Response: A JSON object containing the new attachment ID.

Attack B: Unauthorized Post Deletion (IDOR)

  1. Target ID: Identify a post ID (e.g., a Course or Lesson ID) created by an Administrator.
  2. Request:
    • Method: DELETE
    • URL: /wp-json/stm-lms/v1/post/[POST_ID] (inferred endpoint)
    • Headers:
      • X-WP-Nonce: [NONCE]
  3. Expected Response: 200 OK or 204 No Content, confirming deletion of a post the Subscriber does not own.

6. Test Data Setup

  1. Users:
    • Administrator: admin / password
    • Subscriber: subscriber_user / password
  2. Content:
    • As Admin, create a "Private" course or post to ensure it isn't normally accessible/deletable by others.
    • wp post create --post_type=stm-courses --post_title="Sensitive Course" --post_status=publish
  3. Plugin Config: Ensure MasterStudy LMS is active and the "LMS Pages" (Dashboard, etc.) are generated.

7. Expected Results

  • The Subscriber's POST request to the REST endpoint should succeed with a 200 OK or 201 Created status code.
  • The response should return data indicating the action was performed (e.g., attachment metadata or success confirmation).
  • The plugin should NOT return a 403 Forbidden or 401 Unauthorized for the Subscriber.

8. Verification Steps

  1. Media Check:
    • wp media list --fields=ID,post_title,author
    • Verify a new attachment exists with the Subscriber as the author.
  2. Post Deletion Check:
    • wp post exists [ID]
    • Verify the Admin-created post ID no longer exists or has been moved to the trash.
  3. Database Inspection:
    • wp db query "SELECT * FROM wp_posts WHERE ID = [ID]"

9. Alternative Approaches

If the inferred endpoints are different:

  1. Grep for Routes: Run grep -r "register_rest_route" wp-content/plugins/masterstudy-lms-learning-management-system/ to find all registered paths.
  2. Check Capability Checks: Look for permission_callback arguments in the grep results. Any endpoint using __return_true or is_user_logged_in is a primary target.
  3. Course Template Creation: If post deletion is restricted, target POST /wp-json/stm-lms/v1/course_template to verify if a Subscriber can create administrative templates.
Research Findings
Static analysis — not yet PoC-verified

Summary

The MasterStudy LMS plugin for WordPress (versions up to and including 3.7.6) fails to properly restrict access to several REST API endpoints, leading to an authorization bypass. Authenticated users with Subscriber-level permissions can perform unauthorized actions such as uploading or deleting media, modifying or deleting posts, and managing course templates due to missing capability checks.

Exploit Outline

To exploit this vulnerability, an attacker first authenticates as a Subscriber-level user and retrieves a valid WordPress REST API nonce, typically found in the localized 'stm_lms_vars' or 'wpApiSettings' JavaScript objects on the site. The attacker then constructs a request to the vulnerable 'stm-lms/v1' namespace endpoints. For example, by sending a POST request to '/wp-json/stm-lms/v1/media' with a multipart file payload or a DELETE request to '/wp-json/stm-lms/v1/post/{id}' while including the 'X-WP-Nonce' header, the attacker can manipulate site content. The vulnerability occurs because the plugin's 'permission_callback' for these routes fails to check for specific capabilities like 'edit_posts' or 'upload_files', instead relying on simple authentication checks.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.