Masteriyo LMS WordPress Plugin Allows Unpaid Access to Paid Courses

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

Masteriyo LMS WordPress Plugin Allows Unpaid Access to Paid Courses

CVE-2026-5167

Summary

The Masteriyo LMS plugin for WordPress is vulnerable to a security issue that could allow anyone to access paid courses without paying. This is because the plugin doesn't properly check who is sending certain requests. To protect your courses, update the plugin to a version that fixes this issue or remove it until a fix is available.

Original title

Original description

The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content.

nvd CVSS3.1 5.3

Vulnerability type

CWE-639 Authorization Bypass Through User-Controlled Key

Published: 8 Apr 2026 · Updated: 9 Apr 2026 · First seen: 8 Apr 2026