Security Alert Summary
A privilege escalation vulnerability has been identified in the Masteriyo LMS plugin for WordPress affecting all versions up to and including 2.1.6. The issue allows an authenticated user with Student-level access or above to modify their user role via the plugin controller, potentially elevating their privileges to administrator.
CVE Details
- CVE ID: CVE-2026-4484
- Affected component: Masteriyo LMS plugin for WordPress
- Affected versions: All versions up to, and including, 2.1.6
- Published: March 26, 2026 at 02:16:07 AM UTC
- Last modified: March 26, 2026 at 02:16:07 AM UTC
- CVSS v3.1: Base Score 9.8, Severity CRITICAL, Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Authentication / Privileges / User Interaction: Privileges Required: NONE; User Interaction: NONE; Attack Vector: NETWORK; Attack Complexity: LOW
- Primary impact: Confidentiality: HIGH; Integrity: HIGH; Availability: HIGH
- CWE: CWE-862
Technical Details
The plugin allows a user to update the user role through the InstructorsController::prepare_object_for_database function. Because that code path does not properly prevent role changes for low-privileged accounts, an authenticated attacker with Student-level access (or higher) can elevate their privileges to an administrator account. The vulnerable code resides in the plugin’s instructors controller used by the REST API controllers, where role assignment is processed without sufficient authorization checks.
The impact is privilege escalation to administrative capability; an attacker who successfully exploits this issue can perform administrative actions permitted to administrators. The description and CVSS data indicate no required user interaction and that the vulnerability is exploitable over the network.
How This Could Impact Your Website
Consider a site with multiple users: a site owner, internal staff (editors or managers), and external contributors or contractors who have Student-level access to course content. If a contributor or contractor is able to elevate their role to administrator, they could change site settings, manage plugins, access user data, or create additional administrative accounts. This increases the risk of exposure of internal email addresses and other sensitive data and raises the likelihood of targeted phishing or social engineering against staff and users.
If you are unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and student-level accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and audit logs for unusual behavior, such as unexpected role changes or new administrator accounts.
If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.6/includes/RestApi/Controllers/Version1/InstructorsController.php#L305
- https://plugins.trac.wordpress.org/changeset/3490792/learning-management-system/trunk/includes/RestApi/Controllers/Version1/InstructorsController.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/265be0af-66a4-4636-ab81-f8e2c5a1282e?source=cve
