– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-4817:
This vulnerability is an authenticated time-based blind SQL injection in the MasterStudy LMS WordPress plugin, affecting versions up to and including 3.7.25. The vulnerability resides in the /lms/stm-lms/order/items REST API endpoint, specifically in the handling of the ‘order’ and ‘orderby’ parameters. Attackers with subscriber-level access or higher can exploit this flaw to extract sensitive database information.

The root cause is a design flaw in the custom Query builder class located at /_core/lms/classes/vendor/Query.php. The `sort_by` method (lines 669-678 in the vulnerable version) contains logic that detects parentheses in the input. When parentheses are present, the code treats the value as a SQL function and directly concatenates it into the ORDER BY clause without quoting. While `esc_sql()` is applied to the parameters in calling functions like `StmStatistics::get_user_order_items()` (line 107 in /_core/lms/classes/models/StmStatistics.php), this escaping only handles quotes and backslashes. It cannot prevent SQL injection when the values are not wrapped in quotes in the final SQL statement.

Exploitation requires an authenticated attacker with at least subscriber privileges to send crafted requests to the REST API endpoint /wp-json/lms/stm-lms/order/items. The attacker manipulates the ‘orderby’ parameter with a payload containing parentheses to bypass the quoting logic. A typical time-based injection payload would be: `orderby=(CASE WHEN (SELECT SLEEP(5) FROM wp_users WHERE ID=1) THEN id ELSE post_date END)`. The ‘order’ parameter can also be manipulated with similar payloads. The time delay in the database response confirms successful injection and allows data exfiltration bit by bit.

The patch introduces two key changes. First, it adds new sanitization methods `normalize_order_direction()` and `normalize_orderby()` in the StmStatistics class (lines 52-62 in /_core/lms/classes/models/StmStatistics.php). These methods strictly validate input against allowed values. The `normalize_orderby()` function uses `sanitize_key()` and maps input to a predefined whitelist of column names. Second, the Query.php file receives a complete overhaul of its `sanitize_sort_by()` method (lines 231-278). This new method validates column names using a strict regex pattern `^[A-Za-z0-9_]+(?:\.[A-Za-z0-9_]+)?$` and removes the dangerous parentheses detection logic. The `sanitize_order_direction()` method in Query.php also restricts the order direction to only ‘ASC’ or ‘DESC’.

Successful exploitation allows attackers to perform time-based blind SQL injection against the WordPress database. Attackers can extract sensitive information including user credentials (hashed passwords), session tokens, personal data, and other confidential information stored in the database. This could lead to account takeover, privilege escalation, and complete site compromise depending on the extracted data.