15,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in MasterStudy LMS Pro Plugin

15,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in MasterStudy LMS Pro Plugin
Latest Reports:   • WordPress Vulnerability Reports by Wordfence  
Blog Post: https://www.wordfence.com/blog/2025/0...
🛡️ Get Wordfence: https://www.wordfence.com/products/pr...
🔵 Try Wordfence Central - https://www.wordfence.com/help/central/
⭐ Wordfence is Trusted by over 5 Million Websites

On May 15th, 2025, we received a submission for an Arbitrary File Upload vulnerability in MasterStudy LMS Pro, a WordPress plugin with more than 15,000 estimated active installations. The MasterStudy Education WordPress theme from ThemeForest with more than 21,000 sales also includes the Pro plugin.

This vulnerability makes it possible for authenticated users such as subscribers to upload arbitrary files to a vulnerable site and achieve remote code execution in certain configurations, which is typically leveraged for a complete site takeover.

Please note that this vulnerability only critically affects users who have enabled the “Media File Manager” and “Assignments” addons in the Pro plugin, both of which are disabled by default.

Props to Foxyyy who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $703.00 for this discovery, which included a 10% bonus for being a creative vulnerability finder and another 10% bonus for being a meaningful researcher.

Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program.

We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 15, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on June 14, 2025.

We urge users to update their sites with the latest patched version of MasterStudy LMS Pro, version 4.7.1 at the time of this writing, as soon as possible.

Read more in the full blog post: https://www.wordfence.com/blog/2025/0...

Stay informed and secure: read the full details and expert analysis on the Wordfence blog: https://www.wordfence.com/blog/

🔗 Get Wordfence today: https://www.wordfence.com/
🔐 Learn more about WordPress security: https://www.wordfence.com/learn/

🎥 Watch the full WordPress Security Essentials series here:

   • WordPress Security Essentials by Wordfence...  

Wordfence is designed for defense in depth by giving you a layered approach to security with our range of features.

#WordPress #WordPressSecurity #Cybersecurity #WebsiteProtection #Wordfence #OnlineSecurity #wordpress

===== Protect Your Site With Wordfence =====

✅ Get Wordfence Free: https://www.wordfence.com/products/wo...
✅ Get Wordfence Premium: https://www.wordfence.com/products/wo...
✅ Get Wordfence Care: https://www.wordfence.com/products/wo...
✅ Get Wordfence Response: https://www.wordfence.com/products/wo...

📝 Wordfence Audit Log:
All premium Wordfence plans include access to the Wordfence Audit Log — capturing, securely storing, and protecting important security events for forensic analysis.

🔵 Connect Your Sites To Wordfence Central:
https://www.wordfence.com/help/central/
Manage all your WordPress sites from one centralized dashboard.

💸 Want to earn money promoting Wordfence? Join the Wordfence Affiliate Program:
👉 Learn more:    • How To Earn Money With The Wordfence Affil...  
👉 Join: https://www.wordfence.com/affiliate

🐞 Earn money via our Bug Bounty Program:
Find vulnerabilities in WordPress plugins and themes and get rewarded!
👉 Join: https://www.wordfence.com/refer/youtube