CVE-2026-0559 Overview
CVE-2026-0559 is a Stored Cross-Site Scripting (XSS) vulnerability in the MasterStudy LMS WordPress Plugin – for Online Courses and Education. The flaw affects all versions up to and including 3.7.11. It exists in the plugin's stm_lms_courses_grid_display shortcode, which fails to sanitize user-supplied attributes and escape output. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript that executes when other users visit affected pages. The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Authenticated contributors can inject persistent JavaScript into WordPress pages, enabling session theft, administrative action hijacking, and arbitrary redirects against visiting users.
Affected Products
- MasterStudy LMS WordPress Plugin – for Online Courses and Education, all versions through 3.7.11
- WordPress sites exposing the stm_lms_courses_grid_display shortcode to contributor or higher roles
- Patched in the changeset published at revision 3435814
Discovery Timeline
- 2026-02-14 - CVE-2026-0559 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-0559
Vulnerability Analysis
The vulnerability resides in the stm_lms_courses_grid_display shortcode handler shipped with the MasterStudy LMS plugin. Shortcode attributes supplied by authenticated users flow into the rendered HTML without proper sanitization or output escaping. An attacker with contributor permissions can craft a post or page containing the shortcode with malicious attribute values. When an administrator or visitor previews or views the resulting page, the browser executes the injected payload in the site's origin. This grants the attacker access to authenticated session cookies, the WordPress REST API, and the admin interface in the victim's context.
Root Cause
The plugin treats shortcode attributes as trusted strings during template rendering. It neither applies WordPress sanitization helpers such as sanitize_text_field() nor escapes output with esc_attr() or esc_html() before emitting the values into the page markup. This omission allows script tags, event handlers, and JavaScript URIs to survive intact.
Attack Vector
Exploitation requires authenticated access at contributor level or above. The attacker inserts the stm_lms_courses_grid_display shortcode with a crafted attribute containing JavaScript into post content. Because the payload is stored in the database and rendered on every page load, the XSS is persistent. The scope-change rating in the CVSS vector reflects that code executes in the browser context of any user viewing the affected page, including site administrators. See the Wordfence Vulnerability Report for additional technical context.
// No verified proof-of-concept code is published.
// Refer to the vendor changeset for the patched sanitization logic.
Detection Methods for CVE-2026-0559
Indicators of Compromise
- Posts or pages authored by contributor-level accounts that contain the stm_lms_courses_grid_display shortcode with unusual attribute values
- Stored content containing <script>, onerror=, onload=, or javascript: strings inside shortcode attributes
- Unexpected outbound requests from administrator browser sessions to attacker-controlled domains after viewing course grid pages
Detection Strategies
- Audit the wp_posts table for shortcode usage with regex matching on stm_lms_courses_grid_display and HTML control characters in attribute values
- Review WordPress activity logs for contributor accounts publishing or editing pages that embed the vulnerable shortcode
- Inspect rendered HTML of course grid pages for unescaped attribute content that does not match expected plugin output
Monitoring Recommendations
- Forward WordPress access logs and PHP error logs to a centralized SIEM and alert on anomalous contributor publishing activity
- Monitor administrator sessions for Content Security Policy violations and unexpected script execution on /wp-admin/ paths
- Track plugin version inventory across WordPress estates and flag any host running MasterStudy LMS at version 3.7.11 or earlier
How to Mitigate CVE-2026-0559
Immediate Actions Required
- Update the MasterStudy LMS WordPress Plugin to the version released in changeset 3435814 or later
- Audit existing posts and pages for malicious shortcode attributes injected before the patch was applied
- Review contributor-level user accounts and remove or downgrade any that are not actively required
Patch Information
The vendor addressed the issue in the plugin update tracked at WordPress Plugin Changeset 3435814. The fix introduces sanitization and output escaping for attributes processed by the stm_lms_courses_grid_display shortcode. Administrators should apply the update through the WordPress plugin manager and verify the installed version reports higher than 3.7.11.
Workarounds
- Restrict the contributor role from using the stm_lms_courses_grid_display shortcode through a capability plugin or custom the_content filter
- Deploy a web application firewall rule that blocks shortcode attributes containing HTML tags or JavaScript event handlers
- Enforce a strict Content Security Policy that disallows inline scripts on pages rendering course grid content
# Verify installed plugin version via WP-CLI
wp plugin get masterstudy-lms-learning-management-system --field=version
# Update to the patched release
wp plugin update masterstudy-lms-learning-management-system
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

