Skip to main content
CVE Vulnerability Database

CVE-2025-7438: MasterStudy LMS Pro WordPress RCE Flaw

CVE-2025-7438 is a remote code execution vulnerability in MasterStudy LMS Pro for WordPress, allowing authenticated attackers to upload malicious files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7438 Overview

CVE-2025-7438 is an arbitrary file upload vulnerability in the MasterStudy LMS Pro plugin for WordPress. The flaw exists in the install_and_activate_plugin function and affects all versions up to and including 4.7.9. The function performs insufficient file type validation, allowing authenticated users with Subscriber-level access or higher to upload arbitrary files to the server. Successful exploitation can lead to remote code execution on the affected site. The vulnerability is classified under [CWE-434] (Unrestricted Upload of File with Dangerous Type). According to the National Vulnerability Database, exploitation is constrained by timing requirements and environmental factors that increase attack complexity.

Critical Impact

Authenticated attackers with Subscriber-level access can upload arbitrary files to the WordPress server, potentially achieving remote code execution and full site compromise.

Affected Products

  • MasterStudy LMS Pro plugin for WordPress — all versions through 4.7.9
  • WordPress sites running the vulnerable plugin with user registration enabled
  • Stylemix Themes MasterStudy LMS Pro installations

Discovery Timeline

  • 2025-07-18 - CVE-2025-7438 published to the National Vulnerability Database
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-7438

Vulnerability Analysis

The vulnerability resides in the install_and_activate_plugin function within MasterStudy LMS Pro. The function accepts file uploads but fails to validate file types adequately. An authenticated attacker can supply a file whose extension or MIME type is not properly restricted, placing executable content on the server.

Because the function is reachable by users with Subscriber-level privileges, any site permitting open user registration exposes this endpoint to a broad attacker pool. Once a malicious file is written to a web-accessible path, the attacker can request the file to trigger code execution under the web server's process context.

Exploitation is rated higher in attack complexity due to timing constraints in how the plugin installation routine processes uploaded archives. Successful attacks may require race conditions or specific server configurations to land an executable payload before cleanup occurs.

Root Cause

The root cause is missing or insufficient file type validation in install_and_activate_plugin. The function does not enforce a strict allowlist of permitted file extensions or verify file content against an expected archive structure before extraction. This omission permits arbitrary content to be written into the WordPress directory structure.

Attack Vector

The attack is performed over the network against the WordPress administrative AJAX or REST endpoint that exposes the install_and_activate_plugin action. The attacker authenticates with any account holding Subscriber privileges or above, submits a crafted upload, and then requests the dropped file to execute embedded PHP code. No user interaction is required from administrators.

No verified public proof-of-concept exploit code is available at this time. Refer to the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2025-7438

Indicators of Compromise

  • Unexpected PHP files appearing in wp-content/plugins/ or wp-content/uploads/ directories with recent modification timestamps
  • Web server access logs showing POST requests to admin-ajax.php with the install_and_activate_plugin action from low-privilege user sessions
  • Outbound network connections from the PHP worker process to unfamiliar hosts following plugin upload activity
  • New WordPress administrator accounts created without corresponding audit log entries

Detection Strategies

  • Monitor WordPress AJAX and REST endpoints for invocations of install_and_activate_plugin originating from non-administrator accounts
  • Inspect uploaded archive contents for embedded PHP files prior to extraction using a web application firewall
  • Audit the MasterStudy LMS Pro plugin version across all WordPress installations and flag any instance at or below 4.7.9

Monitoring Recommendations

  • Enable verbose logging on WordPress authentication and privilege change events to detect anomalous Subscriber activity
  • Forward web server, PHP-FPM, and WordPress audit logs to a centralized SIEM for correlation
  • Alert on file creation events in plugin directories outside of scheduled maintenance windows

How to Mitigate CVE-2025-7438

Immediate Actions Required

  • Update MasterStudy LMS Pro to a version later than 4.7.9 as soon as the vendor publishes a fixed release
  • Disable open user registration on affected WordPress sites until patching is complete
  • Audit existing user accounts and remove unrecognized Subscriber-level or higher accounts
  • Scan the WordPress installation for unauthorized PHP files in upload and plugin directories

Patch Information

Review the Stylemix Themes Changelog for the latest patched release of MasterStudy LMS Pro. Apply the vendor update through the WordPress admin interface or by replacing the plugin directory with the patched version. Verify the plugin version after upgrade to confirm remediation.

Workarounds

  • Restrict access to wp-admin/admin-ajax.php through a web application firewall rule that blocks the install_and_activate_plugin action for non-administrator sessions
  • Temporarily deactivate the MasterStudy LMS Pro plugin if a patched version is not yet available
  • Set the WordPress DISALLOW_FILE_MODS constant to true in wp-config.php to prevent plugin installation through the admin interface
  • Configure the web server to deny PHP execution within wp-content/uploads/ and other writable directories
bash
# Configuration example: deny PHP execution in WordPress uploads directory (Apache)
# Place in wp-content/uploads/.htaccess
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phar)$">
    Require all denied
</FilesMatch>

# Disable plugin and theme file modifications in wp-config.php
define('DISALLOW_FILE_MODS', true);

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.