MasterStudy LMS Pro <= 4.8.20 Authenticated SQL Injection via 'columns' Parameter (CVE-2026-4653)

Vulnerability Overview Vulnerability Name: MasterStudy LMS Pro Plus <= 4.8.20 - Authenticated (Instructor+) SQL Injection via 'columns' Parameter CVE ID: CVE-2026-4653 CVSS Score: 6.5 (Medium) Publication Date: June 3, 2026 Last Updated: June 4, 2026 Researcher: Rafie Muhammad - Awesome Mute, Inc. Affected Scope Software Type: Plugin Software Name: MasterStudy LMS Pro Affected Versions: <= 4.8.20 Fixed Versions: 4.8.21 Remediation Mitigation: Update to version 4.8.21 or later. Vulnerability Description The MasterStudy LMS Pro Plus plugin for WordPress contains a generic SQL injection vulnerability in the 'columns' parameter, affecting all versions up to 4.8.20. Due to insufficient input sanitization of user-supplied parameters, an attacker can append additional SQL queries to existing ones, thereby extracting sensitive information from the database. References stylemixthemes.com Additional Information CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Recent Vulnerabilities MasterStudy LMS Pro < 4.7.16 - Missing Authorization - CVE ID: CVE-2025-64215 - CVSS Score: 5.3 - Researcher: Rafie Muhammad - Date: April 23, 2026 MasterStudy LMS Pro < 4.7.16 - Missing Authorization - CVE ID: CVE-2025-64212 - CVSS Score: 4.3 - Researcher: Rafie Muhammad - Date: October 12, 2025 MasterStudy LMS Pro < 4.7.16 - Authenticated (Subscriber+) Information Exposure - CVE ID: CVE-2025-64213 - CVSS Score: 4.3 - Researcher: Rafie Muhammad - Date: October 12, 2025 MasterStudy LMS Pro < 4.7.16 - Missing Authorization to Unauthenticated Arbitrary Content Deletion - CVE ID: CVE-2025-64214 - CVSS Score: 5.3 - Researcher: Rafie Muhammad - Date: October 12, 2025 MasterStudy LMS - Online Courses, eLearning PRO Plus <= 4.7.9 - Authenticated (Subscriber+) Arbitrary File Upload - CVE ID: CVE-2025-7438 - CVSS Score: 7.5 - Researcher: Thai An - Date: July 17, 2025 MasterStudy LMS Pro <= 4.7.0 - Authenticated (Subscriber+) Arbitrary File Upload - CVE ID: CVE-2025-4800 - CVSS Score: 8.8 - Researcher: Foxxy - Date: May 27, 2025 Summary The MasterStudy LMS Pro Plus plugin contains a SQL injection vulnerability affecting versions <= 4.8.20. It is recommended to update to version 4.8.21 or later to resolve this issue.

Goal Reached Thanks to every supporter — we hit 100%!

MasterStudy LMS Pro <= 4.8.20 Authenticated SQL Injection via 'columns' Parameter (CVE-2026-4653)

More from this source