CVE-2026-10824 PUBLISHED

Masteriyo LMS < 2.2.1 - Unauthenticated Course Progress Disclosure and Deletion

Assigner: WPScan
Reserved: 04.06.2026 Published: 25.06.2026 Updated: 25.06.2026

The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records.

Product Status

Vendor	Unknown
Product	Masteriyo LMS
Versions	Default: unaffected affected from 0 to 2.2.1 (excl.)

Credits

Muni Nitish Kumar Yaddala finder
WPScan coordinator

References

https://wpscan.com/vulnerability/61d2f6ad-8450-40ae-862d-cafff38c27a0/

Problem Types

CWE-284 Improper Access Control CWE