MasterStudy LMS Pro Plus Plugin Vulnerability (CVE-2026-8653)

Security Alert Summary

The MasterStudy LMS Pro Plus plugin for WordPress contains a SQL injection vulnerability in the columns parameter that affects all versions up to, and including, 4.8.20. Authenticated users with instructor-level access or higher can manipulate the parameter to append additional SQL into existing queries, which can be used to extract sensitive information from the site database.

CVE Details

• CVE ID: CVE-2026-8653
• Affected component: MasterStudy LMS Pro Plus plugin for WordPress
• Affected versions: all versions up to, and including, 4.8.20
• Published: June 4, 2026 at 02:16:17 AM UTC
• Last modified: June 4, 2026 at 01:53:09 PM UTC
• CVSS v3.1: Base Score 6.5, Severity MEDIUM
  Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
• Authentication / Privileges / User interaction: Authenticated attackers with instructor-level access or above; Privileges required: LOW; User interaction: NONE
• Primary impact: Confidentiality: HIGH; Integrity: NONE; Availability: NONE
• Weakness (CWE): CWE-89 (SQL Injection)

Technical Details

The plugin fails to properly escape or sufficiently prepare a user-supplied columns parameter when building SQL queries. Because the input is incorporated into an existing SQL statement without adequate sanitization or parameterization, an authenticated attacker with instructor-level privileges or higher can append additional SQL fragments to the query.

The described behavior enables extraction of sensitive data from the database by modifying the SQL executed by the application. The vulnerability is a classical SQL injection (CWE-89) caused by insufficient escaping and lack of proper query preparation. No specific function names or REST endpoints are provided in the source description beyond the columns parameter.

How This Could Impact Your Website

In a typical site setup there may be the site owner, staff members who manage content, instructors who create courses, and external contractors or contributors. An instructor-level account controlled by an attacker could be used to exploit this SQL injection to read data from the database that the attacker should not normally access.

Practical consequences can include exposure of internal user email addresses and other stored data, which increases the risk of targeted phishing or social engineering against staff and users. The issue, as described, affects data confidentiality rather than altering content or availability.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially instructor and contributor accounts.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins.
• Monitor site activity and database access logs for unusual behavior.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://stylemixthemes.com/wordpress-lms-plugin/
• https://www.wordfence.com/threat-intel/vulnerabilities/id/f24749a8-e01d-436a-9ec8-3745a6b5eecf?source=cve