CVE-2026-39524: WordPress Masteriyo - LMS plugin <= 2.1.5 - Payment Bypass vulnerability
Unauthenticated Broken Access Control in Masteriyo - LMS <= 2.1.5 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a broken access control vulnerability (a type of authorization bypass) in the Masteriyo LMS plugin for WordPress, affecting versions 2.1.5 and earlier. The vulnerability is reachable over the network and requires no authentication or user interaction, meaning any remote visitor can trigger it without holding an account. Successful exploitation allows an attacker to bypass payment controls, potentially enrolling in paid courses or accessing paid content without completing a legitimate transaction. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.
HarborGuard Coverage
Detection of CVE-2026-39524 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Masteriyo LMS plugin. Any image found to carry an affected version of the plugin is flagged immediately.
AvailableHarborGuard scores this finding at CVSS 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is capable of weighting that score against each customer environment's compliance policy to reflect business context. Routed alerts are available to the appropriate team inbox within each customer organization based on policy configuration.
AvailableBecause no upstream fix version has been published for this CVE, HarborGuard re-checks the Patchstack advisory and upstream plugin repository on every ingest cycle. A patched-image rebuild will become available automatically the moment a fix version is released by ThemeGrill.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress site over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS.
- AuthenticationNot required
No account or session token of any kind is needed; the access control bypass is reachable by any anonymous HTTP request.
- Victim interactionNot required
No user action, click, or social engineering is required to trigger the vulnerability.
- Attack complexityDetail
Exploit complexity is low: no race conditions, memory layout knowledge, or special environmental conditions are needed for a reliable attack.
Blast Radius
- Attacker bypasses payment enforcement and gains enrollment access to one or more paid courses without completing a purchase.
- Paid course content (lessons, quizzes, downloads) becomes readable by unauthorized users, defeating monetization controls.
- Order or enrollment records in the WordPress database may be written or modified to reflect a falsely completed payment state.
How HarborGuard Handles This
Available on HarborGuard: because no patch exists for CVE-2026-39524 at this time, HarborGuard continuously monitors the Patchstack advisory and the ThemeGrill plugin repository on every ingest cycle. For containers running affected Masteriyo LMS versions, HarborGuard can surface compensating-control recommendations including network-policy rules that restrict unauthenticated access to payment-related REST or AJAX endpoints, egress filtering to limit lateral exposure, and feature-flag or WAF-rule gating where supported by the deployment environment. Where compliance policy permits, a patched-image rebuild and a pull request against affected workloads will be made available automatically the moment ThemeGrill publishes a fix version, with no manual triage step required for customers who have auto-remediation enabled.
- ThemeGrill / Masteriyo - LMS≤ 2.1.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N