CVE-2025-53209
Incorrect Privilege Assignment in Masteriyo LMS PRO
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themeisle | masteriyo_lms_pro | to 2.20.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Masteriyo LMS PRO allows unauthenticated attackers to escalate privileges and potentially gain full control of the affected website. Such a critical privilege escalation flaw classified under OWASP Top 10's "Broken Access Control" can lead to unauthorized access to sensitive data.
This unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Therefore, if exploited, this vulnerability could result in violations of these regulations due to failure in protecting data confidentiality, integrity, and availability.
Can you explain this vulnerability to me?
CVE-2025-53209 is a high-priority privilege escalation vulnerability found in the WordPress Masteriyo LMS PRO plugin, specifically in versions 2.20.0 and earlier.
This flaw allows unauthenticated attackers to escalate their low-privilege access to higher privilege levels, potentially gaining full control over the affected website.
The vulnerability is categorized under OWASP Top 10's "Broken Access Control" and has a critical CVSS score of 9.8, indicating a severe security risk.
How can this vulnerability impact me? :
This vulnerability can have a critical impact by allowing attackers to escalate their privileges without authentication.
An attacker exploiting this flaw could gain full control of the affected website, leading to unauthorized access, data theft, manipulation, or disruption of services.
Because it is a broken access control issue, it poses a significant threat to websites of any size or popularity and can be exploited in widespread attack campaigns.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the WordPress Masteriyo LMS PRO Plugin versions 2.20.0 and earlier, allowing privilege escalation due to broken access control.
To detect this vulnerability on your system, you should check the installed version of the Masteriyo LMS PRO plugin to see if it is version 2.20.0 or earlier.
A common command to check the plugin version on a WordPress installation is to inspect the plugin's readme or main plugin file, for example:
- Navigate to the WordPress plugins directory: cd wp-content/plugins/masteriyo-lms-pro
- Use grep or cat to find the version in the main plugin file, e.g., grep 'Version' masteriyo-lms-pro.php
Additionally, monitoring for unusual privilege escalations or unauthorized access attempts in your WordPress logs or web server logs may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate action to mitigate this vulnerability is to update the Masteriyo LMS PRO plugin to version 2.20.1 or later.
Until the update is applied, Patchstack provides a mitigation rule that can be enabled to block attacks targeting this vulnerability.
Users of Patchstack can also enable auto-updates for vulnerable plugins to enhance security and reduce the risk of exploitation.