<0.1% probability · 12.4th percentile — 2026-04-17
Affected versions
Masteriyo LMS plugin for WordPress, all versions up to and including 2.1.6
Summary
This vulnerability allows authenticated attackers with student-level access or higher to elevate their privileges to full administrator. The flaw exists in the InstructorsController::prepare_object_for_database function that permits unfiltered user role updates. Successful exploitation gives attackers full control over the affected WordPress site.
Remediation
Update the Masteriyo LMS plugin to the latest patched version immediately. If you cannot update immediately, restrict plugin access to trusted users only and audit existing administrative accounts for unauthorized entries. Monitor for unexpected account changes to detect potential compromise early.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.