CVE-2026-11773 masteriyo CVE debrief

Who should care

Administrators and users of the Masteriyo LMS plugin for WordPress should be aware of this vulnerability and take necessary actions to protect their sites. Authenticated attackers with student-level access and above can exploit this vulnerability to modify course announcements. It is essential to update the plugin to a patched version as soon as possible.

Technical summary

The Masteriyo LMS plugin for WordPress is vulnerable to authorization bypass due to improper verification of user authorization. This allows authenticated attackers with student-level access and above to modify the description of arbitrary course announcements. The vulnerability exists in all versions up to and including 2.2.1. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.

Defensive priority

Medium priority should be given to patching this vulnerability, as it allows for modification of course announcements by authenticated attackers. Updating the plugin to a patched version is recommended.

Recommended defensive actions

• Update the Masteriyo LMS plugin to a patched version (if available).
• Restrict access to course announcements to authorized users only.
• Monitor course announcements for any unauthorized modifications.
• Implement additional security measures to prevent exploitation, such as Web Application Firewalls (WAFs).
• Regularly review and update plugins to ensure they are up-to-date and patched.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, including its description, CVSS score, and affected versions. The source item URL provides additional information on the vulnerability, including references to the vulnerable code.

Official resources