Search
Find a vulnerability
Search criteria
2 vulnerabilities found for Masteriyo LMS – LMS Course Builder, Quizzes & Certificates by masteriyo
CVE-2026-11773 (GCVE-0-2026-11773)
Vulnerability from nvd – Published: 2026-06-27 06:50 – Updated: 2026-06-29 12:20
VLAI
Title
Masteriyo LMS <= 2.2.1 - Missing Authorization to Authenticated (Student+) Arbitrary Course Announcement Modification
Summary
The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| masteriyo | Masteriyo LMS – LMS Course Builder, Quizzes & Certificates |
Affected:
0 , ≤ 2.2.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11773",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T12:19:37.940286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T12:20:04.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Masteriyo LMS \u2013 LMS Course Builder, Quizzes \u0026 Certificates",
"vendor": "masteriyo",
"versions": [
{
"lessThanOrEqual": "2.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ilinor"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Masteriyo LMS \u2013 LMS Course Builder, Quizzes \u0026 Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T06:50:57.531Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5780d762-2313-4c81-be02-99543359d824?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.2.1/addons/course-announcement/Controllers/CourseAnnouncementController.php#L782"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.2.1/addons/course-announcement/Controllers/CourseAnnouncementController.php#L619"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.8/addons/course-announcement/Controllers/CourseAnnouncementController.php#L782"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.8/addons/course-announcement/Controllers/CourseAnnouncementController.php#L619"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3583519%40learning-management-system\u0026new=3583519%40learning-management-system\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-09T12:11:09.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-26T17:55:05.000Z",
"value": "Disclosed"
}
],
"title": "Masteriyo LMS \u003c= 2.2.1 - Missing Authorization to Authenticated (Student+) Arbitrary Course Announcement Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11773",
"datePublished": "2026-06-27T06:50:57.531Z",
"dateReserved": "2026-06-09T11:55:57.904Z",
"dateUpdated": "2026-06-29T12:20:04.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11773 (GCVE-0-2026-11773)
Vulnerability from cvelistv5 – Published: 2026-06-27 06:50 – Updated: 2026-06-29 12:20
VLAI
Title
Masteriyo LMS <= 2.2.1 - Missing Authorization to Authenticated (Student+) Arbitrary Course Announcement Modification
Summary
The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| masteriyo | Masteriyo LMS – LMS Course Builder, Quizzes & Certificates |
Affected:
0 , ≤ 2.2.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11773",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T12:19:37.940286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T12:20:04.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Masteriyo LMS \u2013 LMS Course Builder, Quizzes \u0026 Certificates",
"vendor": "masteriyo",
"versions": [
{
"lessThanOrEqual": "2.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ilinor"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Masteriyo LMS \u2013 LMS Course Builder, Quizzes \u0026 Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T06:50:57.531Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5780d762-2313-4c81-be02-99543359d824?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.2.1/addons/course-announcement/Controllers/CourseAnnouncementController.php#L782"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.2.1/addons/course-announcement/Controllers/CourseAnnouncementController.php#L619"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.8/addons/course-announcement/Controllers/CourseAnnouncementController.php#L782"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.8/addons/course-announcement/Controllers/CourseAnnouncementController.php#L619"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3583519%40learning-management-system\u0026new=3583519%40learning-management-system\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-09T12:11:09.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-26T17:55:05.000Z",
"value": "Disclosed"
}
],
"title": "Masteriyo LMS \u003c= 2.2.1 - Missing Authorization to Authenticated (Student+) Arbitrary Course Announcement Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11773",
"datePublished": "2026-06-27T06:50:57.531Z",
"dateReserved": "2026-06-09T11:55:57.904Z",
"dateUpdated": "2026-06-29T12:20:04.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}