CVE-2026-5167 | Masteriyo LMS Plugin up to 2.1.7 on WordPress Webhook Endpoint handle_webhook order_id authorization

VDB-356028 · CVE-2026-5167 · GCVE-0-2026-5167 MASTERIYO LMS PLUGIN UP TO 2.1.7 ON WORDPRESS WEBHOOK ENDPOINT HANDLE_WEBHOOK ORDER_ID AUTHORIZATION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 5.8 $0-$5k 0.81+ Summaryinfo A vulnerability categorized as critical has been discovered in Masteriyo LMS Plugin up to 2.1.7 on WordPress. This affects the function handle_webhook of the component Webhook Endpoint. The manipulation of the argument order_id results in authorization. This vulnerability was named CVE-2026-5167. The attack may be performed from remote. There is no available exploit. Detailsinfo A vulnerability was found in Masteriyo LMS Plugin up to 2.1.7 on WordPress. It has been classified as critical. Affected is the function handle_webhook of the component Webhook Endpoint. The manipulation of the argument order_id with an unknown input leads to a authorization vulnerability. CWE is classifying the issue as CWE-639. The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. This is going to have an impact on integrity, and availability. CVE summarizes: The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content. The weakness was presented by Md. Moniruzzaman Prodhan. The advisory is shared for download at wordfence.com. This vulnerability is traded as CVE-2026-5167 since 03/30/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 04/08/2026). There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product. Productinfo Type WordPress Plugin Vendor Masteriyo Name LMS Plugin Version 2.1.0 2.1.1 2.1.2 2.1.3 2.1.4 2.1.5 2.1.6 2.1.7 CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 5.9 VulDB Meta Temp Score: 5.8 VulDB Base Score: 6.5 VulDB Temp Score: 6.3 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 5.3 CNA Vector (Wordfence): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Authorization CWE: CWE-639 / CWE-285 / CWE-266 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: no mitigation known Status: 🔍 0-Day Time: 🔒 Timelineinfo 03/30/2026 CVE reserved 04/08/2026 +9 days Advisory disclosed 04/08/2026 +0 days VulDB entry created 04/08/2026 +0 days VulDB entry last update Sourcesinfo Advisory: wordfence.com Researcher: Md. Moniruzzaman Prodhan Status: Not defined CVE: CVE-2026-5167 (🔒) GCVE (CVE): GCVE-0-2026-5167 GCVE (VulDB): GCVE-100-356028 Entryinfo Created: 04/08/2026 09:16 Changes: 04/08/2026 09:16 (66) Complete: 🔍 Cache ID: 99:03C:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸