CVE-2026-4817
Time-Based Blind SQL Injection in MasterStudy LMS Plugin
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| masterstudy | masterstudy_lms | 3.7.25 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The MasterStudy LMS WordPress Plugin for Online Courses and Education is vulnerable to a Time-based Blind SQL Injection attack through the 'order' and 'orderby' parameters in the /lms/stm-lms/order/items REST API endpoint in versions up to and including 3.7.25.
This vulnerability arises because the plugin's custom Query builder class does not properly sanitize input when handling ORDER BY clauses. Specifically, if the 'sort_by' parameter contains parentheses, it is treated as a SQL function and concatenated directly into the SQL query without quotes, allowing attackers to inject arbitrary SQL.
Although some escaping functions like esc_sql() are applied, they cannot prevent injection in this context because the values are not wrapped in quotes in the resulting SQL statement.
Authenticated attackers with subscriber-level access or higher can exploit this flaw to perform time-based blind SQL injection, enabling them to extract sensitive information such as user credentials, session tokens, and other confidential data from the database.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized disclosure of sensitive information stored in the database.
- Attackers can extract user credentials, which may lead to account compromise.
- Session tokens can be stolen, potentially allowing attackers to hijack user sessions.
- Other confidential data stored in the database can be accessed without authorization.
Since the attack requires only subscriber-level access, it lowers the barrier for exploitation by malicious users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers to extract sensitive information from the database, including user credentials, session tokens, and other confidential data. This exposure of sensitive personal data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information.
Specifically, unauthorized access to user credentials and session tokens may violate requirements for data confidentiality and integrity under these standards, potentially resulting in legal and regulatory consequences for affected organizations.