CVE-2026-10824 | The Masteriyo LMS WordPress plugin before 2.2.1 does not pe…

Description

The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records.

Metadata

CVE ID: CVE-2026-10824
State: PUBLISHED
Assigner: WPScan
Reserved: 2026-06-04 08:23 UTC
Published: 2026-06-25 06:00 UTC
Last updated: 2026-06-25 06:00 UTC
Vendor / Product: Unknown / Masteriyo LMS
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (1)

Vendor	Product	Platform	Versions
Unknown	Masteriyo LMS	—	0 < 2.2.1

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-284 Improper Access Control

References (1)

https://wpscan.com/vulnerability/61d2f6ad-8450-40ae-862d-cafff38c27a0/