An unauthenticated privilege escalation vulnerability in the Masteriyo LMS PRO plugin for WordPress creates a high risk of total administrative site compromise.

This vulnerability involves incorrect privilege assignment, which allows an unauthenticated attacker to manipulate user roles and elevate their account privileges to those of a site administrator.

The ability for an unauthenticated user to gain administrative control over a WordPress site poses a severe threat to business operations, including unauthorized data access, content manipulation, and potential site-wide malware distribution. Despite the high CVSS score of 9.8, the primary danger lies in the ease of weaponizing this privilege escalation for full site takeover.

Immediate Action: Update the Masteriyo LMS PRO plugin to version 2.20.1 or later immediately.

Proactive Monitoring: Regularly audit user accounts and administrative role assignments to identify unauthorized account creation or privilege changes.

Compensating Controls: Utilize a Web Application Firewall (WAF) with updated rulesets to block suspicious requests targeting plugin-specific privilege assignment functions.

Public Exploit Available: true

This vulnerability is highly dangerous due to the potential for unauthenticated administrative access. Security teams must treat this as a top-priority update and ensure all WordPress environments running this plugin are patched to the latest version.