The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators.
History

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Masteriyo
Masteriyo masteriyo Lms – Lms Course Builder, Quizzes & Certificates
Wordpress
Wordpress wordpress
Vendors & Products Masteriyo
Masteriyo masteriyo Lms – Lms Course Builder, Quizzes & Certificates
Wordpress
Wordpress wordpress

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators.
Title Masteriyo LMS <= 2.2.1 - Missing Authorization to Authenticated (Student+) Arbitrary Course Announcement Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-27T06:50:57.531Z

Updated: 2026-06-29T12:20:04.970Z

Reserved: 2026-06-09T11:55:57.904Z

Link: CVE-2026-11773

cve-icon Vulnrichment

Updated: 2026-06-29T12:19:48.415Z

cve-icon NVD

No data.

cve-icon Redhat

No data.