CVE-2026-10824
Received Received - Intake
Unauthenticated Course Progress Deletion in Masteriyo LMS

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: WPScan

Description
The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-10824
EUVD
EUVD-2026-39186
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
masteriyo lms to 2.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10824 is a vulnerability in the Masteriyo LMS WordPress plugin versions prior to 2.2.1. The issue arises because the plugin does not perform authorization checks in its course-progress REST API controller.

This lack of authorization allows unauthenticated users to read and permanently delete any user's course progress records.

In other words, an attacker can access sensitive progress data of enrolled students or erase their progress entirely without needing to log in or authenticate.

Impact Analysis

This vulnerability can have significant impacts if you use the Masteriyo LMS plugin on your WordPress site.

  • An attacker can view sensitive course progress data of any enrolled student without authentication.
  • An attacker can permanently delete any user's course progress records, potentially causing data loss and disrupting learning activities.

Such unauthorized access and data manipulation can undermine user trust and the integrity of your learning management system.

Detection Guidance

This vulnerability involves unauthorized access to the course-progress REST API controller in the Masteriyo LMS WordPress plugin, allowing unauthenticated users to read or delete course progress records.

To detect this vulnerability on your system, you can check if your Masteriyo LMS plugin version is prior to 2.2.1, as versions 2.1.7 and 2.2.0 are confirmed vulnerable.

You can also monitor network traffic for unauthorized REST API calls to endpoints related to course progress, especially those that allow GET or DELETE requests without authentication.

Specific commands are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to update the Masteriyo LMS WordPress plugin to version 2.2.1 or later, where the authorization checks have been properly implemented.

Until the update can be applied, consider restricting access to the course-progress REST API endpoints to authenticated users only, if possible, via web server or WordPress configuration.

Compliance Impact

The vulnerability allows unauthenticated users to read and permanently delete any user's course-progress records, which involves unauthorized access to and deletion of potentially sensitive personal data.

Such unauthorized access and data manipulation could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal data access, integrity, and confidentiality.

Specifically, the lack of authorization checks violates principles of access control and data protection, potentially exposing organizations using the affected plugin to regulatory risks and penalties.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10824. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart