Platform
wordpress
Component
learning-management-system
Fixed in
2.1.7
CVE-2026-4484 is a Privilege Escalation vulnerability found in the Masteriyo LMS plugin for WordPress. This flaw allows authenticated attackers with Student-level access or higher to elevate their privileges to that of an administrator. The vulnerability affects all versions up to and including 2.1.6. Version 2.1.7 addresses this issue.
The Masteriyo LMS plugin for WordPress has a privilege escalation vulnerability. Versions up to and including 2.1.6 are vulnerable. An authenticated attacker with Student-level access or higher can exploit this flaw to elevate their privileges to that of an administrator. This allows the attacker to fully control the website, modify content, install plugins, delete data, and perform any action an administrator can do. The vulnerability's severity is high (CVSS 8.8) due to the potential impact on security and the relative ease of exploitation. The lack of proper controls within the 'InstructorsController::prepareobjectfor_database' function allows this user role manipulation, compromising website integrity and data confidentiality.
An attacker with a Student role or higher on a website using Masteriyo LMS up to version 2.1.6 can exploit this vulnerability. The attacker could manipulate the 'InstructorsController::prepareobjectfor_database' function to change their own role to Administrator. This could be achieved through malicious code injection or request parameter manipulation. Once the attacker has administrator access, they can perform any action on the website, including installing malware, stealing data, and modifying content.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The recommended solution is to immediately update the Masteriyo LMS plugin to version 2.1.7 or later. This version includes a fix for the privilege escalation vulnerability. Additionally, review existing user roles on the website to identify and revoke any suspicious privileges. Implementing a robust password policy and enabling two-factor authentication (2FA) for all users, especially those with administrator roles, can help mitigate the risk of exploitation. Monitoring the website logs for unusual activity is also a good security practice.
Update to version 2.1.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It means a user with limited permissions can gain access to functions or data they normally wouldn't have.
As a temporary measure, limit the access of users with Student roles to critical website functions. Regularly review user roles for unauthorized changes.
Look for unusual activity in the website logs, such as suspicious logins or unexpected content changes. Use a security scanner to look for malware.
There are WordPress vulnerability scanners that can detect this vulnerability. You can also manually review the plugin's code for the 'InstructorsController::prepareobjectfor_database' function.
You can find more information about this vulnerability in the CVE vulnerability database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4484
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.