CVE-2026-0559 is a stored cross-site scripting (XSS) vulnerability identified in the MasterStudy LMS WordPress plugin, a widely used tool for managing online courses and education content. The vulnerability exists in the 'stm_lms_courses_grid_display' shortcode, which fails to properly sanitize and escape user-supplied attributes before rendering them on web pages. This improper neutralization of input (CWE-79) allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently, they execute every time any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users without their consent. The vulnerability affects all versions up to and including 3.7.11. The CVSS v3.1 base score is 6.4, reflecting medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (contributor or above), no user interaction, and scope change due to impact on other users. No public exploits are currently known. The vulnerability's impact is significant in multi-user environments where contributors can add or edit content, as it enables persistent XSS attacks that can affect administrators and other users. The lack of a patch link suggests that users should monitor vendor updates closely or apply manual mitigations. This vulnerability highlights the importance of rigorous input validation and output encoding in WordPress plugins, especially those handling user-generated content in educational platforms.

The primary impact of CVE-2026-0559 is the potential for persistent cross-site scripting attacks on websites using the MasterStudy LMS plugin. Exploitation can lead to session hijacking, credential theft, unauthorized actions performed with victim user privileges, and potential privilege escalation if administrators are targeted. This can compromise the confidentiality and integrity of user data and the platform itself. The availability impact is minimal as the vulnerability does not directly cause denial of service. However, successful exploitation can damage organizational reputation, lead to data breaches, and disrupt educational services. Organizations with multiple contributors and high user interaction are at greater risk, as attackers can leverage contributor accounts to inject malicious scripts affecting a broad user base. The medium CVSS score reflects the need for timely remediation to prevent exploitation, especially in environments with sensitive educational content and personal user data.

To mitigate CVE-2026-0559, organizations should: 1) Update the MasterStudy LMS plugin to the latest version once a patch is released by the vendor. 2) Until a patch is available, restrict contributor-level permissions to trusted users only and review user roles to minimize unnecessary privileges. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the vulnerable shortcode. 4) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 5) Conduct regular security audits and code reviews of custom shortcodes or plugin extensions to ensure proper input sanitization and output encoding. 6) Monitor logs and user activity for signs of XSS exploitation attempts or unusual behavior. 7) Educate content contributors about safe content practices and the risks of injecting untrusted code. These measures collectively reduce the risk of exploitation and limit the impact if an attack occurs.