CVE-2026-4817
Received Received - Intake
Time-Based Blind SQL Injection in MasterStudy LMS Plugin

Publication date: 2026-04-17

Last updated on: 2026-04-17

Assigner: Wordfence

Description
The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based Blind SQL Injection via the 'order' and 'orderby' parameters in the /lms/stm-lms/order/items REST API endpoint in versions up to and including 3.7.25. This is due to insufficient input sanitization combined with a design flaw in the custom Query builder class that allows unquoted SQL injection in ORDER BY clauses. When the Query builder detects parentheses in the sort_by parameter, it treats the value as a SQL function and directly concatenates it into the ORDER BY clause without any quoting. While esc_sql() is applied to escape quotes and backslashes, this cannot prevent ORDER BY injection when the values themselves are not wrapped in quotes in the resulting SQL statement. This makes it possible for authenticated attackers, with subscriber-level access and above, to append arbitrary SQL queries via the ORDER BY clause to extract sensitive information from the database including user credentials, session tokens, and other confidential data through time-based blind SQL injection techniques.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4817
EUVD
EUVD-2026-23338
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
masterstudy masterstudy_lms 3.7.25
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The MasterStudy LMS WordPress Plugin for Online Courses and Education is vulnerable to a Time-based Blind SQL Injection attack through the 'order' and 'orderby' parameters in the /lms/stm-lms/order/items REST API endpoint in versions up to and including 3.7.25.

This vulnerability arises because the plugin's custom Query builder class does not properly sanitize input when handling ORDER BY clauses. Specifically, if the 'sort_by' parameter contains parentheses, it is treated as a SQL function and concatenated directly into the SQL query without quotes, allowing attackers to inject arbitrary SQL.

Although some escaping functions like esc_sql() are applied, they cannot prevent injection in this context because the values are not wrapped in quotes in the resulting SQL statement.

Authenticated attackers with subscriber-level access or higher can exploit this flaw to perform time-based blind SQL injection, enabling them to extract sensitive information such as user credentials, session tokens, and other confidential data from the database.

Impact Analysis

This vulnerability can have serious impacts including unauthorized disclosure of sensitive information stored in the database.

  • Attackers can extract user credentials, which may lead to account compromise.
  • Session tokens can be stolen, potentially allowing attackers to hijack user sessions.
  • Other confidential data stored in the database can be accessed without authorization.

Since the attack requires only subscriber-level access, it lowers the barrier for exploitation by malicious users.

Compliance Impact

The vulnerability allows authenticated attackers to extract sensitive information from the database, including user credentials, session tokens, and other confidential data. This exposure of sensitive personal data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information.

Specifically, unauthorized access to user credentials and session tokens may violate requirements for data confidentiality and integrity under these standards, potentially resulting in legal and regulatory consequences for affected organizations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4817. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart