CVE-2026-0559 is a stored Cross-Site Scripting vulnerability identified in the MasterStudy LMS WordPress plugin, a popular tool for managing online courses and education content. The vulnerability exists in all plugin versions up to and including 3.7.11, specifically within the 'stm_lms_courses_grid_display' shortcode. This shortcode fails to properly sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or unauthorized actions within the LMS environment. The vulnerability requires the attacker to have at least contributor privileges, which are commonly granted to users who can submit content but not publish it directly. No user interaction beyond visiting the infected page is necessary for exploitation. The CVSS v3.1 base score of 6.4 reflects that the attack vector is network-based, with low complexity, requiring privileges but no user interaction, and impacts confidentiality and integrity with no effect on availability. No known exploits are reported in the wild yet, but the vulnerability poses a significant risk to the security of educational platforms relying on this plugin. The lack of a patch link indicates that a fix may not yet be publicly available, emphasizing the need for vigilance and interim mitigations.

For European organizations, especially educational institutions and e-learning providers using the MasterStudy LMS plugin, this vulnerability can lead to unauthorized script execution within their platforms. This compromises the confidentiality of user data, including personal information and potentially sensitive educational content. Integrity is also at risk, as attackers could manipulate course content or user interactions, undermining trust in the platform. Although availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches could be severe. The requirement for contributor-level access means insider threats or compromised accounts pose a significant risk vector. Given the widespread use of WordPress and the growing reliance on online education in Europe, the vulnerability could affect a broad user base, including students, educators, and administrators. The cross-site scripting could also be leveraged to pivot attacks against other internal systems if session tokens or credentials are stolen.

Immediate mitigation steps include restricting contributor-level permissions to trusted users only and monitoring for suspicious shortcode usage or unexpected content injections. Organizations should implement strict input validation and output encoding on any custom LMS content if possible. Deploying a Web Application Firewall (WAF) with robust XSS detection and blocking rules can help prevent exploitation attempts. Administrators should regularly audit user roles and permissions to minimize the number of users with contributor or higher access. Until an official patch is released, consider disabling or limiting the use of the vulnerable shortcode 'stm_lms_courses_grid_display' in course pages. Educate users and administrators about the risks of XSS and encourage reporting of unusual behavior. Once a patch becomes available from the vendor, apply it promptly. Additionally, enable Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of injected scripts.