CVE-2025-4800 is a high-severity vulnerability affecting the MasterStudy LMS Pro plugin for WordPress, developed by StylemixThemes. The vulnerability arises from improper file type validation in the function stm_lms_add_assignment_attachment, present in all versions up to and including 4.7.0. This flaw allows authenticated users with Subscriber-level privileges or higher to upload arbitrary files to the web server hosting the affected WordPress site. Because the plugin fails to restrict or validate the types of files uploaded, attackers can upload malicious files such as web shells or scripts that could be executed remotely. This can lead to remote code execution (RCE), compromising the confidentiality, integrity, and availability of the affected system. The CVSS v3.1 base score is 8.8, reflecting the network attack vector, low attack complexity, required privileges at the low subscriber level, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's nature and ease of exploitation make it a critical risk for sites using this plugin. Since MasterStudy LMS Pro is a learning management system plugin, it is commonly used by educational institutions and corporate training platforms, which often contain sensitive user data and intellectual property. The vulnerability could be exploited to gain unauthorized access, deploy malware, deface websites, or pivot to other internal systems.

For European organizations, especially educational institutions, e-learning providers, and enterprises using WordPress-based LMS solutions, this vulnerability poses a significant risk. Exploitation could lead to unauthorized data access, including personal data protected under GDPR, resulting in legal and financial repercussions. The ability to execute arbitrary code on the server could allow attackers to disrupt services, steal sensitive information, or use the compromised server as a foothold for further attacks within the organization's network. Given the widespread use of WordPress in Europe and the popularity of LMS plugins, the threat could impact a broad range of organizations from universities to corporate training departments. Additionally, disruption of educational services could have reputational damage and operational consequences. The lack of public exploits currently provides a window for mitigation, but the vulnerability's characteristics suggest it could be weaponized quickly once exploited in the wild.

Organizations should immediately verify if they are using the MasterStudy LMS Pro plugin version 4.7.0 or earlier. Since no official patch links are currently available, administrators should monitor StylemixThemes’ official channels for updates or patches addressing this vulnerability. As an immediate mitigation, restrict plugin access to trusted users only and consider disabling file upload functionality if not essential. Implement web application firewall (WAF) rules to block suspicious file uploads and monitor logs for unusual upload activity. Employ strict file upload validation at the server level, such as limiting allowed MIME types and scanning uploaded files for malware. Segregate WordPress instances and limit permissions of user roles to the minimum necessary. Regularly back up website data and have an incident response plan ready in case of compromise. Finally, consider alternative LMS plugins with better security track records if a timely patch is not available.