CVE-2025-4800 Overview
CVE-2025-4800 is an arbitrary file upload vulnerability in the MasterStudy LMS Pro plugin for WordPress. The flaw exists in the stm_lms_add_assignment_attachment function, which fails to validate file types on uploaded attachments. All plugin versions up to and including 4.7.0 are affected.
Authenticated attackers with Subscriber-level access or higher can upload arbitrary files to the server. Successful exploitation may lead to remote code execution on the affected WordPress site. The vulnerability is classified under [CWE-434: Unrestricted Upload of File with Dangerous Type].
Critical Impact
Authenticated Subscriber accounts can upload executable files, enabling remote code execution and full site compromise.
Affected Products
- MasterStudy LMS Pro plugin for WordPress, versions up to and including 4.7.0
- WordPress sites distributed by StyleMix Themes using the affected plugin
- ThemeForest MasterStudy Education Center theme bundles that ship the vulnerable plugin
Discovery Timeline
- 2025-05-28 - CVE-2025-4800 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-4800
Vulnerability Analysis
The MasterStudy LMS Pro plugin exposes the stm_lms_add_assignment_attachment function to handle file attachments associated with course assignments. The function accepts uploaded files from authenticated users but does not enforce a file type allowlist or validate the MIME type, extension, or content of incoming files.
Because the plugin grants assignment submission privileges to Subscriber-level accounts, any registered user on a site that permits open registration can reach the vulnerable endpoint. An attacker who uploads a PHP file to a web-accessible directory can then request that file and execute server-side code under the WordPress process. This results in full compromise of the WordPress installation and any data the web server can reach.
Root Cause
The root cause is missing file type validation in stm_lms_add_assignment_attachment. The function trusts client-supplied file metadata instead of restricting uploads to a safe set of document formats. WordPress core upload helpers such as wp_check_filetype_and_ext are not invoked, and there is no extension blocklist for executable handlers like .php, .phtml, or .phar.
Attack Vector
Exploitation requires only network access and a valid low-privilege account. The attacker authenticates as a Subscriber, submits a crafted multipart POST request to the assignment attachment endpoint, and supplies a PHP payload disguised or named as an executable script. After the upload succeeds, the attacker requests the uploaded file directly to trigger code execution. No user interaction from an administrator is required. See the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-4800
Indicators of Compromise
- Unexpected .php, .phtml, or .phar files inside the WordPress wp-content/uploads directory tree, particularly under MasterStudy LMS assignment paths
- POST requests to the stm_lms_add_assignment_attachment AJAX action originating from low-privilege user sessions
- New or modified WordPress user accounts at Subscriber level followed shortly by assignment attachment uploads
- Outbound network connections from the web server process to unfamiliar hosts after attachment activity
Detection Strategies
- Audit WordPress upload directories for files whose extensions do not match expected assignment formats such as PDF, DOCX, or image types
- Inspect web server access logs for POST requests carrying the stm_lms_add_assignment_attachment action parameter
- Correlate authentication events for newly registered Subscriber accounts with subsequent file upload requests
Monitoring Recommendations
- Enable file integrity monitoring on wp-content/uploads and alert on creation of script-executable file types
- Forward WordPress and PHP-FPM logs to a centralized SIEM for correlation of upload events with process execution
- Monitor for anomalous child processes spawned by the PHP worker, such as shells or download utilities
How to Mitigate CVE-2025-4800
Immediate Actions Required
- Update the MasterStudy LMS Pro plugin to the patched release listed in the StyleMix Pro Changelog
- Disable open user registration or restrict the Subscriber role until the plugin is updated
- Review existing Subscriber accounts for legitimacy and remove unknown users
- Scan wp-content/uploads for unauthorized script files and remove any that are identified
Patch Information
StyleMix Themes has issued an updated MasterStudy LMS Pro release that addresses the missing file type validation. Site administrators should consult the StyleMix Changelog Pro Version for the specific fixed version and apply the update through the WordPress plugin manager.
Workarounds
- Block execution of PHP files within the wp-content/uploads directory using web server configuration such as Apache .htaccess or Nginx location rules
- Place a Web Application Firewall rule in front of the site to deny multipart uploads to the stm_lms_add_assignment_attachment endpoint until patching is complete
- Temporarily deactivate the MasterStudy LMS Pro plugin on sites that cannot be patched immediately
# Nginx configuration to block PHP execution in WordPress uploads
location ~* /wp-content/uploads/.*\.(php|phtml|phar|php5|php7)$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

