CVE-2025-7438: CWE-434 Unrestricted Upload of File with Dangerous Type in StylemixThemes MasterStudy LMS Pro
The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'install_and_activate_plugin' function in all versions up to, and including, 4.7.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability is difficult to exploit due to timing requirements and environmental factors.
CVE-2025-7438: CWE-434 Unrestricted Upload of File with Dangerous Type in StylemixThemes MasterStudy LMS Pro
Description
The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'install_and_activate_plugin' function in all versions up to, and including, 4.7.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability is difficult to exploit due to timing requirements and environmental factors.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-07-10T17:37:03.103Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6879f137a83201eaacf066fc
Added to database: 7/18/2025, 7:01:11 AM
Last updated: 7/18/2025, 7:01:11 AM
Views: 1
Related Threats
CVE-2025-7772: CWE-862 Missing Authorization in malcure Malcure Malware Scanner — #1 Toolset for Malware Removal
MediumCVE-2025-7643: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in aaroncampbell Attachment Manager
CriticalCVE-2025-6726: CWE-862 Missing Authorization in krasenslavov Block Editor Gallery Slider
MediumCVE-2025-6719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vladimirs Terms descriptions
MediumCVE-2025-6718: CWE-862 Missing Authorization in b1accounting B1.lt
HighActions
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.