How is CVE-2026-40766 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress instance via HTTP/HTTPS to send a malicious SQL payload. Authentication (required): A low-privilege account (subscriber level) is sufficient; no administrative access is needed, but the attacker must hold valid credentials for the target WordPress site. Victim interaction (not-required): No victim action such as clicking a link or opening a file is required; the attacker sends the malicious request directly to the plugin endpoint. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no specific race conditions, memory layout knowledge, or other environmental preconditions.

What is the impact of CVE-2026-40766?

Reads arbitrary database rows, which on a WordPress site typically includes stored user credentials (hashed passwords), email addresses, session tokens, and private post content. Exposes plugin and theme configuration data that may contain API keys, payment gateway credentials, or third-party service secrets stored in the database. Causes limited availability impact to the database service under certain query conditions, which may result in slow or failed page loads for site visitors.

Back to search

HIGHCVE-2026-40766Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-40766: WordPress MasterStudy LMS plugin <= 3.7.25 - SQL Injection vulnerability

Q: What is CVE-2026-40766?

This is a SQL injection vulnerability in the MasterStudy LMS WordPress plugin, versions 3.7.25 and earlier, developed by StylemixThemes. The flaw is reachable over the network and requires only a low-privilege account (subscriber level), with no victim interaction needed. Successful exploitation gives an attacker read access to sensitive database contents and causes minor service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment the upstream fix is published.

Q: Is CVE-2026-40766 patched?

Because no upstream fix version has been published for CVE-2026-40766, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment StylemixThemes ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual steps once a fix version becomes available.

Subscriber SQL Injection in MasterStudy LMS <= 3.7.25 versions.

CVSS v3.1: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a SQL injection vulnerability in the MasterStudy LMS WordPress plugin, versions 3.7.25 and earlier, developed by StylemixThemes. The flaw is reachable over the network and requires only a low-privilege account (subscriber level), with no victim interaction needed. Successful exploitation gives an attacker read access to sensitive database contents and causes minor service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment the upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-40766 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built images that bundle the MasterStudy LMS plugin. Scanning runs continuously in both registry and CI/CD pipeline contexts, so newly pushed images are checked without requiring manual intervention.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 8.5 (HIGH) and weighting that score against each customer environment's compliance policy to determine priority. Triage routing rules can direct the resulting finding to the appropriate team inbox within each customer organization based on asset ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published for CVE-2026-40766, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment StylemixThemes ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual steps once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress instance via HTTP/HTTPS to send a malicious SQL payload.
AuthenticationRequired
A low-privilege account (subscriber level) is sufficient; no administrative access is needed, but the attacker must hold valid credentials for the target WordPress site.
Victim interactionNot required
No victim action such as clicking a link or opening a file is required; the attacker sends the malicious request directly to the plugin endpoint.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no specific race conditions, memory layout knowledge, or other environmental preconditions.

Blast Radius

Reads arbitrary database rows, which on a WordPress site typically includes stored user credentials (hashed passwords), email addresses, session tokens, and private post content.
Exposes plugin and theme configuration data that may contain API keys, payment gateway credentials, or third-party service secrets stored in the database.
Causes limited availability impact to the database service under certain query conditions, which may result in slow or failed page loads for site visitors.

How HarborGuard Handles This

Available on HarborGuard: because no fix has been published for CVE-2026-40766 as of the CVE publication date, HarborGuard monitors the Patchstack advisory and upstream StylemixThemes release channels on every ingest cycle. As soon as a patched version of MasterStudy LMS is released, a rebuilt image at the fixed version becomes available, and customers with auto-remediation enabled will receive a rebuild, regression test run, and an automatically opened PR against affected workloads. In the interim, compensating controls worth considering include network-policy isolation to restrict inbound access to the WordPress service to trusted IP ranges, egress filtering to limit what the web application container can reach on the database network segment, and where operationally feasible, disabling the affected plugin feature via its own feature-flag or access-control settings until a patch is available. HarborGuard will surface the advisory update and trigger the remediation flow without requiring manual re-scanning once upstream ships.

See how HarborGuard automates this

Affected packages

StylemixThemes / MasterStudy LMS
≤ 3.7.25

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified