How is CVE-2026-49111 exploited?

Network reachability (required): The attacker must reach the WordPress installation over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS, meaning any internet-facing or internally reachable WordPress site is in scope. Authentication (required): A low-privilege account is sufficient; any registered user such as a student or subscriber can trigger the privilege escalation without needing admin credentials. Victim interaction (not-required): No victim interaction is needed; the attacker submits a crafted request directly and the escalation occurs without requiring another user to click anything or take any action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond holding a valid low-privilege account.

What is the impact of CVE-2026-49111?

Reads all site content, user data, private course materials, and stored credentials accessible to a WordPress administrator. Modifies or deletes any post, page, user account, or plugin and theme configuration on the site. Installs arbitrary plugins or themes, enabling persistent backdoors or further lateral movement within the hosting environment. Disrupts site availability by altering critical settings or removing core configuration, taking the LMS offline for legitimate users.

Back to search

HIGHCVE-2026-49111Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49111: WordPress Masteriyo - LMS plugin <= 2.2.0 - Privilege Escalation vulnerability

Q: What is CVE-2026-49111?

An incorrect privilege assignment vulnerability in the Masteriyo LMS WordPress plugin (versions up to and including 2.2.0) allows a logged-in user to escalate their own account privileges beyond what should be permitted. The vulnerability is reachable over the network and requires only a low-privilege account, such as a standard student or subscriber account. Successful exploitation gives the attacker full read, write, and availability impact on the affected installation, effectively granting them administrator-level control. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment a fix version is published upstream.

Q: Is CVE-2026-49111 patched?

Because no fix version has been published for CVE-2026-49111, HarborGuard re-checks the advisory and upstream plugin repository on every ingest cycle. The moment a patched version is released, a rebuilt image will become available, and customers with auto-remediation enabled will receive a regression-tested rebuild along with a pull request opened against affected workloads automatically.

Incorrect Privilege Assignment vulnerability in ThemeGrill Masteriyo - LMS allows Privilege Escalation. This issue affects Masteriyo - LMS: from n/a through 2.2.0.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An incorrect privilege assignment vulnerability in the Masteriyo LMS WordPress plugin (versions up to and including 2.2.0) allows a logged-in user to escalate their own account privileges beyond what should be permitted. The vulnerability is reachable over the network and requires only a low-privilege account, such as a standard student or subscriber account. Successful exploitation gives the attacker full read, write, and availability impact on the affected installation, effectively granting them administrator-level control. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment a fix version is published upstream.

HarborGuard Coverage

Detection

Detection for CVE-2026-49111 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images in connected registries and CI pipelines. Coverage extends to custom-built images that bundle the Masteriyo LMS plugin, regardless of how they were built or where they are stored.

Available

Triage

HarborGuard scores this finding at CVSS 8.8 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage results are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published for CVE-2026-49111, HarborGuard re-checks the advisory and upstream plugin repository on every ingest cycle. The moment a patched version is released, a rebuilt image will become available, and customers with auto-remediation enabled will receive a regression-tested rebuild along with a pull request opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress installation over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS, meaning any internet-facing or internally reachable WordPress site is in scope.
AuthenticationRequired
A low-privilege account is sufficient; any registered user such as a student or subscriber can trigger the privilege escalation without needing admin credentials.
Victim interactionNot required
No victim interaction is needed; the attacker submits a crafted request directly and the escalation occurs without requiring another user to click anything or take any action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond holding a valid low-privilege account.

Blast Radius

Reads all site content, user data, private course materials, and stored credentials accessible to a WordPress administrator.
Modifies or deletes any post, page, user account, or plugin and theme configuration on the site.
Installs arbitrary plugins or themes, enabling persistent backdoors or further lateral movement within the hosting environment.
Disrupts site availability by altering critical settings or removing core configuration, taking the LMS offline for legitimate users.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored with no fix version currently published by ThemeGrill. HarborGuard re-evaluates the advisory on every ingest cycle, watching for an upstream patch. While the vulnerability remains unpatched, compensating controls worth considering include network-policy isolation to restrict which internal services can reach the WordPress installation, egress filtering to limit outbound connections from the container running the plugin, and disabling or restricting new user registrations if the LMS does not require public sign-ups. For environments where the plugin is bundled into a container image, reviewing whether the container runs with least-privilege filesystem and process permissions can limit the blast radius of a successful escalation. The moment ThemeGrill publishes a fix, a patched-image rebuild will become available on HarborGuard, and customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads.

See how HarborGuard automates this

Affected packages

ThemeGrill / Masteriyo - LMS
≤ 2.2.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified