Platform
wordpress
Component
masterstudy-lms-learning-management-system
Fixed in
3.7.26
3.7.26
CVE-2026-4817 is a Time-based Blind SQL Injection vulnerability discovered in the MasterStudy LMS WordPress plugin, a popular tool for creating and managing online courses. This vulnerability allows an attacker to potentially extract sensitive data from the database by manipulating SQL queries through the 'order' and 'orderby' parameters in the /lms/stm-lms/order/items REST API endpoint. The vulnerability affects versions of the plugin up to and including 3.7.25, and a patch is available in version 3.7.26.
CVE-2026-4817 affects the MasterStudy LMS WordPress plugin, used for creating and managing online courses. It allows for a Time-based Blind SQL Injection vulnerability through the 'order' and 'orderby' parameters in the /lms/stm-lms/order/items REST API endpoint. This is due to insufficient input sanitization combined with a design flaw in the custom Query builder class that allows unquoted SQL injection in ORDER BY clauses. An attacker could exploit this vulnerability to extract sensitive data from the database, such as usernames, passwords, or course information, although the process is slow and requires multiple requests to infer the information.
The vulnerability is exploited by sending malicious HTTP requests to the /lms/stm-lms/order/items REST API endpoint, manipulating the 'order' and 'orderby' parameters to inject SQL code. Because the injection is time-based blind, the attacker must infer the database information by analyzing the server's response times. This requires considerable technical knowledge and can be a slow and tedious process. The vulnerability is particularly severe if the database contains confidential information, such as user data or financial information.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to update the MasterStudy LMS plugin to version 3.7.26 or higher. This update corrects the input sanitization and addresses the design flaw in the Query builder class. It is recommended to perform a full backup of the website before applying the update. Additionally, review server logs for any suspicious activity that may indicate an exploitation attempt. Implementing a Web Application Firewall (WAF) can provide an additional layer of protection against SQL injection attacks.
Update to version 3.7.26, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It's a type of attack where an attacker injects SQL code into an application and then infers database information by analyzing the server's response times. There's no direct response revealing the information; instead, the attacker deduces it based on how long the server takes to respond to different queries.
If you are using a version prior to 3.7.26 of the MasterStudy LMS plugin, your website is vulnerable. You can use vulnerability scanning tools to identify the version of the plugin you are using.
Immediately change the passwords of all users with administrator privileges. Perform a full backup of the website and restore from a clean backup. Investigate server logs for any suspicious activity.
A Web Application Firewall (WAF) can help block SQL injection attacks. You can also use vulnerability scanning tools to identify and fix vulnerabilities on your website.
Yes, it is recommended to update the plugin even if you do not directly use the REST API endpoint. The vulnerability lies in the plugin's code and could be exploited in other ways.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.