CVE-2025-64212 – MasterStudy LMS Pro (< 4.7.16) – Broken Access Control Vulnerability

Affected Product: MasterStudy LMS Pro plugin by StylemixThemes (versions up to, but not including, 4.7.16) GitHub

CVE Identifier: CVE-2025-64212 GitHub+1

Vulnerability Type: Missing authorization (Broken Access Control) — the plugin fails to enforce proper permission checks when certain resources or functionality are accessed. GitHub

Weakness Classification: CWE-862 (Missing Authorization) GitHub

🔍 What this means

In simple terms: an attacker who is able to access the site (even with limited privileges) may exploit this flaw in MasterStudy LMS Pro to perform actions or access resources they should not be allowed to. Because the plugin does not correctly enforce authorization, it creates an opportunity for privilege escalation or exposure of sensitive functions/content.

Because this is an access-control issue rather than an injection or remote code execution vulnerability, the successful exploitation still depends on the attacker having some level of access to the WordPress installation. But once that entry is available, the missing checks make it much easier to move further than intended.

✅ Why this matters

• The plugin is commonly used in WordPress sites for e-learning / online course platforms. A vulnerability here may impact not just the site owner, but user data, course content, instructors, etc.
• Broken access control issues are among the most serious types of security flaws, because they can bypass the fundamental assumption of “user X may only do what user X is permitted to do.”
• Even without a publicly published exploit (as of now) this kind of bug should be treated as urgent: once the details are out, attackers may rapidly attempt exploitation on vulnerable sites.

🛠 What you should do

1. Check whether you run MasterStudy LMS Pro (and if so) which version.
2. If running a version earlier than 4.7.16, schedule an immediate update to version 4.7.16 (or later) as soon as it becomes available.
3. Verify plugin changelog / patch statement from StylemixThemes to confirm that this issue is addressed in the update.
4. In the interim, if you cannot update immediately:

• Restrict administrative access to known trusted accounts only.
• Audit accounts with elevated privileges to ensure no unknown user exists.
• Monitor logs for suspicious activity (e.g., unexpected access to admin-endpoints, unauthorized uploads, or content access beyond normal scope).
• If feasible, apply compensating controls (e.g., limit plugin functionality via WAF, restrict by IP, disable unused endpoints/features).

1. After update, verify that access controls behave as expected (test with a non-privileged account whether administrative resources remain blocked).
2. Consider broader security hardening: Ensure that your WordPress installation, plugins and themes are all up-to-date, backup procedures are in place, and that you have monitoring/alerting for anomalous behaviour.

📋 Summary

The vulnerability identified as CVE-2025-64212 affects MasterStudy LMS Pro (versions before 4.7.16) and is due to missing authorization checks (broken access control). Website owners using this plugin should treat this as high-priority for update and mitigation, given the exposure risk to content, user data and administrative functions.