{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4484", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-20T07:04:46.566Z", "datePublished": "2026-03-26T01:25:33.967Z", "dateUpdated": "2026-03-26T01:25:33.967Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-26T01:25:33.967Z"}, "affected": [{"vendor": "masteriyo", "product": "Masteriyo LMS \u2013 Online Course Builder for eLearning, LMS & Education", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "2.1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepare_object_for_database' function. This makes it possible for authenticated attackers, with Student-level access and above, to elevate their privileges to that of an administrator."}], "title": "Masteriyo LMS <= 2.1.6 - Missing Authorization to Authenticated (Student+) Privilege Escalation to Administrator", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/265be0af-66a4-4636-ab81-f8e2c5a1282e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.6/includes/RestApi/Controllers/Version1/InstructorsController.php#L305"}, {"url": "https://plugins.trac.wordpress.org/changeset/3490792/learning-management-system/trunk/includes/RestApi/Controllers/Version1/InstructorsController.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Hunter Jensen"}], "timeline": [{"time": "2026-03-20T15:14:38.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-25T12:44:04.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepare_object_for_database' function. This makes it possible for authenticated attackers, with Student-level access and above, to elevate their privileges to that of an administrator."}], "id": "CVE-2026-4484", "lastModified": "2026-03-26T02:16:07.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-26T02:16:07.913", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.6/includes/RestApi/Controllers/Version1/InstructorsController.php#L305"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3490792/learning-management-system/trunk/includes/RestApi/Controllers/Version1/InstructorsController.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/265be0af-66a4-4636-ab81-f8e2c5a1282e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Masteriyo LMS \u2013 Online Course Builder for eLearning, LMS & Education", "source": "cna", "vendor": "masteriyo"}, "product": "masteriyo_lms_\u2013_online_course_builder_for_elearning,_lms_&_education", "vendor": "masteriyo"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T03:10:48.911245+00:00", "value": {"mitigation_remediation": ["Upgrade the Masteriyo LMS plugin to the latest available version, which removes the authorize check from the prepare_object_for_database method.", "If an immediate upgrade is not possible, isolate or restrict the REST API endpoint that allows role modification by applying a firewall rule or plugin that blocks non\u2011administrator users from accessing it."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation to Administrator"}, "threat_synthesis": {"affected_systems": "All installations of the Masteriyo LMS plugin version 2.1.6 or earlier are affected. The issue resides in the InstructorsController class found in the plugin\u2019s REST API layer. Any WordPress site that has this plugin installed and has users with Student, Instructor or other roles is at risk.", "description_and_impact": "The Masteriyo LMS WordPress plugin contains a flaw in its REST API controller that lets any authenticated user with a Student or higher role update the role assigned to the user through the prepare_object_for_database method. This omitted authorization check allows the attacker to set their own role to Administrator, thereby gaining full control over the WordPress installation. The vulnerability is a classic privilege escalation flaw, identified as CWE\u2011862, and would grant the attacker the ability to modify site settings, manage content, compromise other users, and potentially exploit other weaknesses.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a high severity impact and suggests that exploitation would be trivial once authenticated. The EPSS score is not available, and the vulnerability has not been listed in the CISA KEV catalog, implying no publicly known active exploits but a high potential for malicious use. Based on the description, the likely attack vector is via the REST API endpoint handled by InstructorsController, which accepts authenticated requests. An attacker only needs legitimate credentials with Student-level access or higher to exploit the flaw. The absence of additional access controls or hardening increases the ease of exploitation."}}}}, "created": "2026-03-26T11:30:50.331988+00:00", "updated": "2026-03-26T12:08:51.918743+00:00", "vendors": ["masteriyo", "masteriyo$PRODUCT$masteriyo_lms_\u2013_online_course_builder_for_elearning,_lms_&_education", "wordpress", "wordpress$PRODUCT$wordpress"]}