CVE-2025-13766
MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.7.6 Missing Authorization to Authenticated (Subscriber+) Posts and Media Creation, Modification and DeletionThe MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
We have discovered 1,571 live websites that are affected by CVE-2025-13766.
Affected Software
| Product |  Masterstudy LMS Learning Management System |
| Category | Wordpress Plugins |
| Vulnerable Domains | 1,571 live websites (96% of Masterstudy LMS Learning Management System install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 113 versions ( 97% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Jan 6, 2026
- Updated - Jan 6, 2026
Credits
- thinnawarth mathuros (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-13766 United States | 407 websites |
 Germany | 123 websites |
 France | 116 websites |
 Italy | 79 websites |
 GB | 74 websites |
 Cyprus | 72 websites |
 India | 65 websites |
 Spain | 63 websites |
 Brazil | 51 websites |
 Turkey | 27 websites |
Website Distribution by TLD
Number of websites using CVE-2025-13766| .com | 702 websites |
| .org | 121 websites |
| .it | 56 websites |
| .com.br | 45 websites |
| .net | 42 websites |
| .de | 34 websites |
| .fr | 28 websites |
| .es | 26 websites |
| .co.uk | 23 websites |
| .nl | 22 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-13766
Top websites that are affected by CVE-2025-13766. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***********.org | United States | **,*** | |
| *******.org | United States | ***,*** | |
| **************.***.br | Brazil | ***,*** | |
| ***********.**.za |  South Africa | ***,*** | |
| ***********.***.co |  Colombia | ***,*** | |
| *****.org | United States | ***,*** | |
| ************************.com | GB | ***,*** | |
| *****.**************.com | United States | ***,*** | |
| ********.*******.***.cl |  Chile | ***,*** | |
| ***.***************.eu | Germany | ***,*** |
FAQ
CVE-2025-13766 is Missing Authorization in Masterstudy LMS Learning Management System
A total of 1,571 websites have been identified as vulnerable to CVE-2025-13766, based on global website indexing conducted by WebTechSurvey.
The Masterstudy LMS Learning Management System is affected by the CVE-2025-13766 vulnerability.
Masterstudy LMS Learning Management System versions up to and including 3.7.6 are vulnerable to CVE-2025-13766.