Atomic Edge analysis of CVE-2025-13766:
This vulnerability is a Missing Authorization flaw in the MasterStudy LMS WordPress plugin affecting versions up to and including 3.7.6. The vulnerability allows authenticated attackers with Subscriber-level permissions or higher to perform unauthorized actions via multiple REST API endpoints. The CVSS score of 5.4 reflects a moderate severity issue with significant impact on data integrity.

Atomic Edge research identifies the root cause as missing capability checks on several REST API endpoints registered by the plugin. The vulnerable endpoints include those handling media file uploads, post modifications, deletions, and course template management. The plugin’s REST API initialization occurs in the file `masterstudy-lms-learning-management-system/_core/lms/classes/rest.php`. The endpoints are registered via the `register_rest_route` function without implementing proper authorization callbacks or capability checks, relying only on the `is_user_logged_in()` condition. This allows any authenticated user, regardless of their assigned WordPress role capabilities, to access administrative functions.

The exploitation method involves an authenticated attacker sending crafted HTTP requests to the vulnerable REST API endpoints. The attacker must first obtain a valid WordPress authentication cookie or nonce. The primary attack vector targets the `/wp-json/lms/` namespace endpoints. For example, to upload arbitrary media files, an attacker would send a POST request to `/wp-json/lms/media/upload` with multipart form data containing the malicious file. To delete or modify posts, the attacker targets endpoints like `/wp-json/lms/posts/{id}` with DELETE or PUT methods. The specific vulnerable endpoints include those for course template management (`/wp-json/lms/course-templates`), media operations, and post CRUD operations.

The patch in version 3.7.7 addresses the vulnerability by implementing proper capability checks on all affected REST API endpoints. The changes add authorization callbacks that verify the user has appropriate permissions before processing requests. For media upload endpoints, the patch adds checks for `upload_files` capability. For post modification and deletion endpoints, it adds checks for `edit_posts` or `delete_posts` capabilities. For course template management, it adds checks for `manage_options` or instructor-specific capabilities. The fix ensures that each REST endpoint validates the user’s role-based permissions, not just their authentication status.

Successful exploitation allows attackers with minimal Subscriber privileges to upload arbitrary files (potentially leading to remote code execution if file types are not properly restricted), delete or modify any posts on the site, and create or manage course templates. This can lead to complete content compromise, website defacement, privilege escalation through malicious file uploads, and disruption of the educational platform’s operations. The vulnerability directly violates the principle of least privilege and enables unauthorized data manipulation across the WordPress installation.