CVE-2025-13766 is a vulnerability classified under CWE-862 (Missing Authorization) found in the MasterStudy LMS WordPress plugin, which is widely used for managing online courses and educational content. The flaw exists because the plugin fails to enforce proper capability checks on multiple REST API endpoints. This lack of authorization validation allows any authenticated user with at least Subscriber-level privileges to perform unauthorized actions such as uploading or deleting arbitrary media files, deleting or modifying posts, and creating or managing course templates. Since WordPress Subscriber roles are typically assigned to users with minimal privileges, this vulnerability significantly lowers the barrier for attackers to escalate their impact within affected systems. The vulnerability affects all versions up to and including 3.7.6 of the plugin. The attack vector is network-based and does not require user interaction, making it easier to exploit remotely. The CVSS 3.1 base score is 5.4, indicating a medium severity level, with low attack complexity and no user interaction required. The impact primarily affects confidentiality and integrity, as unauthorized data modification and deletion can disrupt educational content and user trust. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly to prevent potential exploitation.

For European organizations, especially educational institutions and e-learning providers using the MasterStudy LMS plugin, this vulnerability poses a significant risk to the integrity and confidentiality of their online course content and user data. Unauthorized modification or deletion of course materials can disrupt learning processes, damage institutional reputation, and lead to loss of trust among students and educators. The ability to upload arbitrary media files could also be leveraged to introduce malicious content or malware into the platform. Since the vulnerability can be exploited by users with minimal privileges, insider threats or compromised low-level accounts could lead to substantial damage. Additionally, unauthorized changes to course templates may affect the delivery and structure of educational programs, potentially causing compliance issues with educational standards or regulations. The absence of availability impact reduces the risk of service outages but does not diminish the seriousness of data integrity and confidentiality breaches. Given the widespread use of WordPress and the popularity of this plugin in European e-learning markets, the threat is relevant and requires immediate attention.

1. Immediately update the MasterStudy LMS plugin to a version that addresses this vulnerability once a patch is released by the vendor. 2. Until a patch is available, restrict access to the WordPress REST API endpoints related to the plugin by implementing web application firewall (WAF) rules or custom access controls limiting REST API usage to trusted roles only. 3. Review and tighten user role assignments, ensuring that Subscriber-level users have minimal permissions and that only trusted users have elevated roles capable of modifying course content. 4. Monitor logs for unusual activity related to media uploads, post modifications, and course template changes to detect potential exploitation attempts. 5. Employ multi-factor authentication (MFA) for all user accounts to reduce the risk of account compromise. 6. Conduct regular backups of course content and media files to enable recovery in case of unauthorized deletions or modifications. 7. Educate administrators and content managers about the vulnerability and encourage vigilance in monitoring user activities within the LMS environment.