CVE Catalog

CVE-2026-10824

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

3th percentile — higher than 3% of all known CVEs

Summary

The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records.

Risk Assessment

The lack of authorization checks poses a risk of unauthorized access to user data, potentially leading to data loss and privacy breaches.

Recommendation

It is recommended to update the Masteriyo LMS plugin to version 2.2.1 or later to mitigate these vulnerabilities.

Original NVD description (English source)

The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS