CVE-2026-10824
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records.
Risk Assessment
The lack of authorization checks poses a risk of unauthorized access to user data, potentially leading to data loss and privacy breaches.
Recommendation
It is recommended to update the Masteriyo LMS plugin to version 2.2.1 or later to mitigate these vulnerabilities.
Original NVD description (English source)
The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records.

