CVE-2025-13766 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the MasterStudy LMS WordPress plugin, widely used for managing online courses and education content. The flaw exists due to missing capability checks on several REST API endpoints in all plugin versions up to and including 3.7.6. This security gap allows any authenticated user with at least Subscriber-level privileges to bypass intended access controls and perform unauthorized operations such as uploading or deleting arbitrary media files, deleting or modifying posts, and creating or managing course templates. The vulnerability is exploitable remotely without requiring additional user interaction, leveraging the REST API's network accessibility. The CVSS v3.1 base score is 5.4 (medium), reflecting low complexity of attack (AC:L), network attack vector (AV:N), and low privileges required (PR:L), but limited impact on availability (A:N) and moderate impact on confidentiality and integrity (C:L/I:L). The absence of patch links suggests a patch may not yet be publicly available, increasing the urgency for mitigation. This vulnerability could be exploited to disrupt course content, manipulate educational materials, or introduce malicious media files, undermining the integrity and trustworthiness of affected e-learning platforms.

The primary impact of CVE-2025-13766 is unauthorized modification and deletion of educational content and media within affected WordPress sites using the MasterStudy LMS plugin. This can lead to loss of critical course data, defacement of educational materials, and potential insertion of malicious content, which could harm students and educators relying on the platform. While the vulnerability does not directly affect system availability, the integrity and confidentiality of course content are compromised. Organizations may face reputational damage, loss of user trust, and potential regulatory compliance issues related to data integrity. Attackers with low-level access can escalate their influence within the LMS environment, potentially facilitating further attacks or data exfiltration. The risk is particularly acute for institutions heavily dependent on this plugin for delivering online education, including universities, training providers, and corporate learning platforms.

To mitigate this vulnerability, organizations should immediately restrict user roles to the minimum necessary privileges, especially limiting Subscriber-level users from accessing REST API endpoints related to course management and media uploads. Implementing Web Application Firewalls (WAFs) with custom rules to block suspicious REST API calls can provide temporary protection. Monitoring and auditing REST API usage logs for unusual activity is critical to detect exploitation attempts. Administrators should stay alert for official patches or updates from the vendor and apply them promptly once available. If a patch is not yet released, consider disabling or restricting the vulnerable REST API endpoints via custom code or security plugins. Additionally, enforce strong authentication and consider multi-factor authentication for all users with elevated privileges to reduce the risk of compromised accounts. Regular backups of course content and media files are essential to enable recovery from unauthorized modifications or deletions.