The Masteriyo LMS WordPress plugin contains a critical privilege escalation flaw that allows users with basic student access to gain full administrative control over the website.

This vulnerability is a Privilege Escalation flaw within the InstructorsController::prepare_object_for_database function. The plugin fails to properly validate role update requests, allowing an authenticated attacker with Student-level permissions to modify their own user role to "administrator."

The impact is a total compromise of the WordPress environment. An attacker gaining administrator access can delete content, steal user data, install malicious plugins, or deface the site. The CVSS score of 9.8 reflects the critical risk, as even low-privileged authenticated users can bypass all security barriers to take full control.

Immediate Action: Update the Masteriyo LMS plugin to the latest version (v2.1.7 or higher) immediately to resolve the role validation logic error.

Proactive Monitoring: Audit the WordPress user database for any unexpected changes in user roles, specifically looking for students who have recently acquired administrator or instructor privileges.

Compensating Controls: Implement a security plugin that monitors for unauthorized role changes and alerts administrators in real-time.

Public Exploit Available: No

Due to the ease of exploitation and the high impact of a student-to-admin escalation, this patch should be applied immediately. Organizations running Masteriyo LMS must verify their plugin versions and ensure that role management functions are properly restricted to authorized administrators only.