CVE-2026-5167 MEDIUM

CVE-2026-5167: Masteriyo LMS <= 2.1.7 - Unauthenticated Authorization Bypass to Arbitrary Order Completion via Stripe Webhook Endpoint

Vendor Masteriyo
Product Masteriyo LMS – Online Course Builder for eLearning, LMS & Education
Weakness CWE-639 · IDOR
Published April 8, 2026
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content.

Explanation of Vulnerability in Simple Terms

02Summary

Masteriyo LMS versions up to 2.1.7 contain an integrity vulnerability allowing network-based attackers to modify data without authentication. The attack requires no user interaction and exploits a weakness in input validation or access controls. Site administrators should update to a version newer than 2.1.7 to prevent unauthorized data modification.

What an attacker can do

03Attacker Capabilities

Modify data on the site without logging in.

Potential impact on your site

04Site Impact

Attackers can alter course content, settings, or other data without your knowledge or permission.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 8, 2026 CVE published
April 8, 2026 Record updated