CVE-2026-4817 Overview
A Time-based Blind SQL Injection vulnerability has been identified in the MasterStudy LMS WordPress Plugin for Online Courses and Education. The vulnerability exists in the order and orderby parameters within the /lms/stm-lms/order/items REST API endpoint, affecting versions up to and including 3.7.25. This security flaw stems from insufficient input sanitization combined with a design flaw in the custom Query builder class that allows unquoted SQL injection in ORDER BY clauses.
Critical Impact
Authenticated attackers with subscriber-level access can extract sensitive information from the database including user credentials, session tokens, and other confidential data through time-based blind SQL injection techniques.
Affected Products
- MasterStudy LMS WordPress Plugin versions up to and including 3.7.25
- WordPress installations using vulnerable MasterStudy LMS plugin versions
- Online course and education platforms utilizing MasterStudy LMS
Discovery Timeline
- 2026-04-17 - CVE-2026-4817 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-4817
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exploits a design flaw in the MasterStudy LMS plugin's custom Query builder class. The vulnerability is accessible over the network and requires low-privilege authentication (subscriber-level access), making it exploitable by any registered user on a WordPress site running the vulnerable plugin.
The core issue lies in how the Query builder handles the sort_by parameter. When the Query builder detects parentheses in the sort_by parameter, it interprets the value as a SQL function and directly concatenates it into the ORDER BY clause without proper quoting. While the plugin applies esc_sql() to escape quotes and backslashes, this defense mechanism is ineffective against ORDER BY injection because the values themselves are not wrapped in quotes in the resulting SQL statement.
The vulnerability allows extraction of sensitive data including user credentials, session tokens, and other confidential information stored in the WordPress database. Since this is a time-based blind SQL injection, attackers can infer database contents by observing response timing differences when injecting conditional time-delay SQL statements.
Root Cause
The root cause is a fundamental design flaw in the Query builder class located in _core/lms/classes/vendor/Query.php. The vulnerable code path exists at line 676 where ORDER BY clause construction occurs. When the Query builder encounters parentheses in sorting parameters, it assumes the input is a legitimate SQL function (such as RAND()) and concatenates it directly into the SQL query.
The esc_sql() function, which is applied for sanitization, only escapes quotes and backslashes. This provides no protection when the injected values are not subsequently enclosed in quotes within the SQL statement. The StmStatistics model at lines 202 and 238 passes user-controlled order and orderby parameters to this vulnerable Query builder without additional validation.
Attack Vector
The attack is executed through the REST API endpoint /lms/stm-lms/order/items which is registered in the route configuration at _core/lms/route.php. An authenticated attacker with at least subscriber-level privileges can craft malicious requests containing SQL injection payloads in the order or orderby parameters.
The attacker exploits the parentheses detection logic by injecting SQL functions containing conditional time delays. By measuring response times, the attacker can extract database contents one character at a time through boolean-based inference. The network-accessible REST API endpoint combined with the low authentication requirement significantly expands the potential attack surface.
Detection Methods for CVE-2026-4817
Indicators of Compromise
- Unusual REST API requests to /lms/stm-lms/order/items containing parentheses or SQL keywords in order or orderby parameters
- Abnormally long response times from the WordPress REST API that may indicate time-based SQL injection exploitation
- Web server logs showing requests with encoded SQL functions like SLEEP(), BENCHMARK(), or IF() statements
- Database query logs revealing ORDER BY clauses with unexpected SQL functions or subqueries
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in REST API parameters
- Monitor WordPress REST API access logs for suspicious patterns targeting the /lms/stm-lms/order/items endpoint
- Deploy SQL injection detection signatures that identify time-based blind injection techniques such as SLEEP() and BENCHMARK() functions
- Enable database query logging to identify anomalous ORDER BY clause constructions
Monitoring Recommendations
- Configure alerts for REST API requests with unusually high response latency that could indicate time-delay exploitation
- Implement rate limiting on the /lms/stm-lms/order/items endpoint to slow down automated exploitation attempts
- Monitor for bulk data extraction patterns that may indicate successful SQL injection exploitation
- Review WordPress user registrations for suspicious accounts created to gain subscriber-level access for exploitation
How to Mitigate CVE-2026-4817
Immediate Actions Required
- Update the MasterStudy LMS plugin to version 3.7.26 or later immediately
- Audit database access logs for any signs of exploitation prior to patching
- Review WordPress user accounts for unauthorized subscriber registrations that may have been created for exploitation
- Consider temporarily disabling the REST API endpoint if immediate patching is not possible
Patch Information
The vulnerability has been patched in MasterStudy LMS version 3.7.26. The fix addresses the improper handling of user-supplied input in ORDER BY clauses within the Query builder class. Security researchers can review the specific changes in the WordPress Plugin Changeset and the Query.php modification.
Additional technical analysis is available in the Wordfence Vulnerability Report.
Workarounds
- Implement Web Application Firewall rules to block requests containing SQL injection patterns in REST API parameters
- Restrict access to the WordPress REST API for unauthenticated or low-privilege users if LMS functionality permits
- Use WordPress security plugins to add additional input validation layers for REST API endpoints
- Consider temporarily disabling the MasterStudy LMS statistics functionality until patching can be completed
# Example WAF rule to block suspicious ORDER BY parameters
# Add to .htaccess or WAF configuration
RewriteEngine On
RewriteCond %{QUERY_STRING} (order|orderby)=.*(\(|sleep|benchmark|if\() [NC]
RewriteRule ^wp-json/lms/stm-lms/order/items - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
