CVE-2026-5167
Authorization Bypass in Masteriyo LMS via Insecure Webhook Handling
Publication date: 2026-04-08
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| masteriyo | masteriyo_lms | to 2.1.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Masteriyo LMS plugin for WordPress has a vulnerability called Authorization Bypass Through User-Controlled Key in versions up to 2.1.7.
This happens because the webhook endpoint does not properly verify the signature of incoming webhook requests.
Specifically, signature verification only occurs if a webhook_secret is set and the HTTP_STRIPE_SIGNATURE header is present.
Since the webhook_secret defaults to an empty string, the webhook endpoint accepts attacker-controlled JSON payloads without verification.
This allows unauthenticated attackers to send fake Stripe webhook events with arbitrary order IDs and mark orders as completed without payment.
As a result, attackers can gain unauthorized access to paid course content.
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass payment verification and mark any order as completed without actually paying.
Consequently, unauthorized users can gain access to paid course content without purchasing it.
This can lead to financial loss for course providers and undermine the integrity of the eLearning platform.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to mark orders as completed without payment and gain unauthorized access to paid course content by bypassing webhook signature verification.
This unauthorized access to paid content could potentially lead to violations of data protection and access control requirements found in standards like GDPR and HIPAA, which mandate proper authorization and protection of user data and access.
However, the provided information does not explicitly describe the impact on compliance with these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Masteriyo LMS plugin processing unauthenticated webhook requests without proper signature verification. Detection would involve monitoring incoming HTTP requests to the webhook endpoint for suspicious or unauthorized Stripe webhook events.
Specifically, you can look for HTTP requests to the webhook endpoint that lack the HTTP_STRIPE_SIGNATURE header or contain unexpected order_id values in the JSON payload metadata.
Commands to detect such activity might include using network monitoring tools or web server logs to filter requests to the webhook URL and inspect headers and payloads. For example, using grep on web server logs:
- grep 'webhook' /var/log/apache2/access.log | grep -v 'HTTP_STRIPE_SIGNATURE'
- tcpdump or Wireshark filters to capture HTTP POST requests to the webhook endpoint and analyze payloads for suspicious order_id metadata.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Masteriyo LMS plugin to a version later than 2.1.7 where the webhook signature verification issue is fixed.
If an update is not immediately possible, ensure that the webhook_secret setting is configured with a strong secret value and that the webhook endpoint enforces signature verification by requiring the HTTP_STRIPE_SIGNATURE header.
Additionally, restrict access to the webhook endpoint to trusted IP addresses or networks if possible, and monitor logs for suspicious webhook activity.