CVE-2026-5167 Overview
The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress contains an Authorization Bypass Through User-Controlled Key vulnerability (CWE-639) in versions up to and including 2.1.7. This security flaw exists due to insufficient webhook signature verification in the handle_webhook() function, allowing unauthenticated attackers to manipulate order states and gain unauthorized access to paid course content.
Critical Impact
Unauthenticated attackers can send fake Stripe webhook events to mark any order as completed without payment, gaining unauthorized access to premium educational content and bypassing the payment system entirely.
Affected Products
- Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress versions up to and including 2.1.7
- WordPress sites using the Masteriyo LMS Stripe payment addon with default configuration
- eLearning platforms relying on Masteriyo LMS for course monetization
Discovery Timeline
- 2026-04-08 - CVE-2026-5167 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-5167
Vulnerability Analysis
This vulnerability represents a classic authorization bypass through improper webhook validation. The handle_webhook() function in the Stripe addon processes incoming webhook requests without proper authentication when default settings are in place. The webhook endpoint accepts unauthenticated requests and only performs signature verification under specific conditions—when both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present in the request.
The critical flaw lies in the default configuration: the webhook_secret defaults to an empty string. This means that even if an attacker omits the signature header entirely, the webhook endpoint will process the request without any verification. Attackers can craft malicious JSON payloads containing arbitrary order_id values in the metadata field, causing the system to mark orders as completed without any actual payment being processed.
Root Cause
The root cause is an insecure default configuration combined with flawed conditional logic in the signature verification process. Rather than requiring signature verification as a mandatory security control, the implementation treats it as optional—only enforcing it when both the secret is configured and the signature header is present. This "fail-open" design allows attackers to simply bypass the security check by ensuring one of these conditions is not met. The empty default value for webhook_secret makes this bypass trivially achievable on fresh installations.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending crafted HTTP POST requests to the WordPress site's webhook endpoint. The malicious request would contain a JSON payload mimicking legitimate Stripe webhook events (such as checkout.session.completed) with forged order metadata. Since the endpoint processes these requests without signature verification when using default settings, the attacker can manipulate order statuses at will.
The attack flow involves identifying target WordPress sites running Masteriyo LMS with the Stripe addon, crafting a webhook payload with a valid event type and target order ID, and submitting it to the webhook endpoint. The plugin then processes this as a legitimate payment completion, granting access to paid courses without any actual financial transaction occurring.
Detection Methods for CVE-2026-5167
Indicators of Compromise
- Unexpected order status changes from "pending" to "completed" without corresponding Stripe dashboard transaction records
- Webhook access logs showing requests without HTTP_STRIPE_SIGNATURE headers that resulted in successful order completions
- User accounts with access to paid courses but no valid payment history in Stripe
- Anomalous spikes in course enrollments without corresponding revenue
Detection Strategies
- Monitor webhook endpoint access logs for requests lacking the Stripe-Signature HTTP header
- Implement log correlation between WordPress order completions and Stripe transaction webhooks to identify discrepancies
- Deploy web application firewall (WAF) rules to flag or block webhook requests without proper signature headers
- Audit order completion events against Stripe API payment records on a regular basis
Monitoring Recommendations
- Enable detailed logging for the Masteriyo LMS webhook endpoint to capture all incoming requests and their headers
- Set up alerts for order status changes that occur via webhook without corresponding payment intent confirmations
- Review the webhook_secret configuration to ensure it is properly set and matches the Stripe dashboard webhook signing secret
- Implement real-time monitoring for unauthorized course access patterns
How to Mitigate CVE-2026-5167
Immediate Actions Required
- Update Masteriyo LMS to the latest patched version immediately
- Configure a strong webhook_secret in the Masteriyo LMS Stripe addon settings, matching the signing secret from your Stripe dashboard
- Audit existing orders for any that may have been fraudulently marked as completed
- Review course access logs to identify users who may have gained unauthorized access to paid content
Patch Information
A security patch has been released to address this vulnerability. The fix modifies the webhook signature verification logic to require proper authentication for all incoming webhook requests, regardless of default configuration state. The patch changeset can be reviewed at the WordPress Code Changeset. Additional technical details are available in the Wordfence Vulnerability Report.
Workarounds
- Immediately configure the webhook_secret setting with the signing secret from your Stripe webhook configuration dashboard
- Implement IP allowlisting to restrict webhook endpoint access to known Stripe IP addresses only
- Add server-level middleware or .htaccess rules to reject webhook requests missing the Stripe-Signature header
- Temporarily disable the Stripe payment addon if patching is not immediately possible, switching to an alternative payment method
# Apache .htaccess workaround - block webhook requests without Stripe signature
# Add to your WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} masteriyo/webhook [NC]
RewriteCond %{HTTP:Stripe-Signature} ^$
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
