{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4817", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-25T13:39:50.506Z", "datePublished": "2026-04-17T01:24:37.193Z", "dateUpdated": "2026-04-17T01:24:37.193Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T01:24:37.193Z"}, "affected": [{"vendor": "stylemix", "product": "MasterStudy LMS WordPress Plugin \u2013 for Online Courses and Education", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.7.25", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based Blind SQL Injection via the 'order' and 'orderby' parameters in the /lms/stm-lms/order/items REST API endpoint in versions up to and including 3.7.25. This is due to insufficient input sanitization combined with a design flaw in the custom Query builder class that allows unquoted SQL injection in ORDER BY clauses. When the Query builder detects parentheses in the sort_by parameter, it treats the value as a SQL function and directly concatenates it into the ORDER BY clause without any quoting. While esc_sql() is applied to escape quotes and backslashes, this cannot prevent ORDER BY injection when the values themselves are not wrapped in quotes in the resulting SQL statement. This makes it possible for authenticated attackers, with subscriber-level access and above, to append arbitrary SQL queries via the ORDER BY clause to extract sensitive information from the database including user credentials, session tokens, and other confidential data through time-based blind SQL injection techniques."}], "title": "MasterStudy LMS <= 3.7.25 - Authenticated (Subscriber+) Time-based Blind SQL Injection via 'order' and 'orderby' Parameters", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a51fe96-f3d3-46fe-9e3a-fb7c1bd17b05?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/vendor/Query.php#L676"}, {"url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/tags/3.7.17/_core/lms/classes/vendor/Query.php#L676"}, {"url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/models/StmStatistics.php#L202"}, {"url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/tags/3.7.17/_core/lms/classes/models/StmStatistics.php#L202"}, {"url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/models/StmStatistics.php#L238"}, {"url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/tags/3.7.17/_core/lms/classes/models/StmStatistics.php#L238"}, {"url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/trunk/_core/lms/route.php#L16"}, {"url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/tags/3.7.17/_core/lms/route.php#L16"}, {"url": "https://ti.wordfence.io/vendors/patch/1789/download"}, {"url": "https://plugins.trac.wordpress.org/changeset/3506029/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/vendor/Query.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fmasterstudy-lms-learning-management-system/tags/3.7.25&new_path=%2Fmasterstudy-lms-learning-management-system/tags/3.7.26"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Naoya Takahashi"}], "timeline": [{"time": "2026-03-25T13:55:10.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-16T12:48:08.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based Blind SQL Injection via the 'order' and 'orderby' parameters in the /lms/stm-lms/order/items REST API endpoint in versions up to and including 3.7.25. This is due to insufficient input sanitization combined with a design flaw in the custom Query builder class that allows unquoted SQL injection in ORDER BY clauses. When the Query builder detects parentheses in the sort_by parameter, it treats the value as a SQL function and directly concatenates it into the ORDER BY clause without any quoting. While esc_sql() is applied to escape quotes and backslashes, this cannot prevent ORDER BY injection when the values themselves are not wrapped in quotes in the resulting SQL statement. This makes it possible for authenticated attackers, with subscriber-level access and above, to append arbitrary SQL queries via the ORDER BY clause to extract sensitive information from the database including user credentials, session tokens, and other confidential data through time-based blind SQL injection techniques."}], "id": "CVE-2026-4817", "lastModified": "2026-04-17T02:16:05.883", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-17T02:16:05.883", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/tags/3.7.17/_core/lms/classes/models/StmStatistics.php#L202"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/tags/3.7.17/_core/lms/classes/models/StmStatistics.php#L238"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/tags/3.7.17/_core/lms/classes/vendor/Query.php#L676"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/tags/3.7.17/_core/lms/route.php#L16"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/models/StmStatistics.php#L202"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/models/StmStatistics.php#L238"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/vendor/Query.php#L676"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/masterstudy-lms-learning-management-system/trunk/_core/lms/route.php#L16"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3506029/masterstudy-lms-learning-management-system/trunk/_core/lms/classes/vendor/Query.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fmasterstudy-lms-learning-management-system/tags/3.7.25&new_path=%2Fmasterstudy-lms-learning-management-system/tags/3.7.26"}, {"source": "security@wordfence.com", "url": "https://ti.wordfence.io/vendors/patch/1789/download"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a51fe96-f3d3-46fe-9e3a-fb7c1bd17b05?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.25]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MasterStudy LMS WordPress Plugin \u2013 for Online Courses and Education", "source": "cna", "vendor": "stylemix"}, "product": "masterstudy_lms_wordpress_plugin_\u2013_for_online_courses_and_education", "vendor": "stylemix"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T03:21:00.961858+00:00", "value": {"mitigation_remediation": ["Update the MasterStudy LMS plugin to version 3.7.26 or later, which removes the vulnerable code paths. ", "Apply the Wordfence patch available at https://ti.wordfence.io/vendors/patch/1789/download, which rewrites the Query builder to quote order_by values properly. ", "If an immediate update is not possible, restrict the /lms/stm-lms/order/items endpoint to administrators only or block the order_by parameter via a firewall or content security rule to prevent injection attempts."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection leading to data exfiltration"}, "threat_synthesis": {"affected_systems": "MasterStudy LMS WordPress Plugin \u2013 for Online Courses and Education from stylemix is vulnerable in all releases up to and including 3.7.25. The attack surface is the /lms/stm-lms/order/items endpoint, which is reachable by any logged\u2011in user with subscriber or higher permissions.", "description_and_impact": "The vulnerability is a time\u2011based blind SQL injection that occurs when the Order By clause of the /lms/stm-lms/order/items REST API endpoint is constructed from user input that includes parentheses. The WordPress plugin does not quote the value, so a crafted order_by parameter can inject arbitrary SQL. Authenticated users with subscriber role or higher can exploit this to retrieve confidential data such as user passwords, session tokens and other database contents through delayed responses. The injected SQL is executed with the privileges of the WordPress database user, giving the attacker data\u2011theft capabilities without compromising the server directly.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity. No EPSS data is available and the vulnerability is not listed in CISA\u2019s KEV catalog, but the need for authenticated access and the potential to leak credentials make the risk higher than the score alone suggests. The exploit path requires knowledge of the plugin's REST API and the ability to manipulate ORDER BY parameters. In a typical WordPress installation, an attacker can perform the injection after gaining login credentials or through social engineering to obtain subscriber-level access. Once successful, the attacker can perform time\u2011based blind SQL queries to enumerate and exfiltrate sensitive data. Due to the moderate CVSS coupled with real\u2011world access conditions, the overall risk is considered significant for any site using these plugin versions."}}}}, "created": "2026-04-17T03:30:08.500703+00:00", "updated": "2026-04-17T03:30:08.587323+00:00", "vendors": ["stylemix", "stylemix$PRODUCT$masterstudy_lms_wordpress_plugin_\u2013_for_online_courses_and_education", "wordpress", "wordpress$PRODUCT$wordpress"]}