– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-0559:
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the MasterStudy LMS WordPress plugin. The vulnerability resides in the ‘stm_lms_courses_grid_display’ shortcode handler. Attackers with contributor-level or higher permissions can inject malicious scripts into pages, which execute when a victim views the page. The CVSS score of 6.4 reflects a medium severity impact.

The root cause is insufficient input sanitization and output escaping for user-supplied shortcode attributes. In the vulnerable version, the function `stm_lms_courses_grid_display` in `/masterstudy-lms-learning-management-system/_core/includes/shortcodes/grid.php` directly passed the raw `$atts` array to the template rendering functions `STM_LMS_Templates::show_lms_template`. The function did not validate, sanitize, or escape the attribute values before they were rendered in the page’s HTML context.

Exploitation requires an authenticated user with the contributor role or higher. The attacker creates or edits a post or page and inserts the shortcode `[stm_lms_courses_grid_display]` with malicious HTML attributes containing JavaScript payloads. For example, an attacker could use `[stm_lms_courses_grid_display load_more=”1″ onmouseover=”alert(document.cookie)”]`. When the page is saved and later viewed by any user, the malicious script executes in the victim’s browser.

The patch modifies the `stm_lms_courses_grid_display` function. It introduces a `$defaults` array and uses `shortcode_atts` to parse attributes. It creates a new `$sanitized_atts` array. The only allowed attribute, `load_more`, is strictly cast to an integer (0 or 1). This sanitized array, not the raw user input, is passed to the template functions. The patch also increments the plugin version to 3.7.12 in the `init.php` and main plugin files.

Successful exploitation allows an attacker to inject arbitrary JavaScript into pages. This can lead to session hijacking, account takeover, defacement, or redirection to malicious sites. The attacker can perform actions within the victim’s session, potentially escalating privileges if an administrator views the compromised page.