CVE-2026-4484 - Masteriyo LMS - Privilege Escalation

Overview

Masteriyo LMS WordPress plugin <= 2.1.6 contains a privilege escalation caused by improper user role update in InstructorsController::prepare_object_for_database, letting authenticated users elevate privileges to administrator, exploit requires authenticated user with Student-level access or higher.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Authenticated users can escalate their privileges to administrator, compromising site security and control.

Mitigation

Update to a version later than 2.1.6 or the latest available version.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Mar 26, 2026

🔴 CVE-2026-4484 - Critical (9.8) The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepare_object_for_data... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-4484/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Mar 26, 2026

🔴 CVE-2026-4484 - Critical (9.8) The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepare_object_for_data... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-4484/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

CVE-2026-4484 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(2 posts)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score