CVE-2026-4817 is a time-based blind SQL injection vulnerability in the MasterStudy LMS WordPress Plugin (up to version 3.7.25). The issue stems from insufficient input sanitization combined with a design flaw in the plugin's custom Query builder class, which directly concatenates values containing parentheses into the ORDER BY clause without quoting. Although esc_sql() is used to escape quotes and backslashes, it does not prevent injection when the ORDER BY values are unquoted. Authenticated attackers with subscriber-level privileges or higher can exploit this to append arbitrary SQL queries via the 'order' and 'orderby' parameters in the /lms/stm-lms/order/items REST API endpoint, potentially extracting sensitive database information including user credentials and session tokens. The vulnerability has a CVSS 3.1 base score of 6.5, indicating medium severity. No official fix or patch has been published by the vendor as of the information provided.

An authenticated attacker with subscriber-level access or higher can exploit this vulnerability to perform time-based blind SQL injection attacks via the ORDER BY clause. This allows the attacker to extract sensitive information from the database, including user credentials and session tokens, potentially compromising user accounts and session integrity. The vulnerability does not affect availability or integrity directly but impacts confidentiality of sensitive data.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict subscriber-level access where possible and monitor for suspicious activity related to the /lms/stm-lms/order/items REST API endpoint. Avoid exposing this endpoint to untrusted users. No vendor-provided mitigation or temporary fix is currently documented.