CVE-2026-4817 | stylemix MasterStudy LMS WordPress Plugin up to 3.7.25 on WordPress REST API Endpoint /lms/stm-lms/order/items esc_sql orderby sql injection

A vulnerability was found in stylemix MasterStudy LMS WordPress Plugin up to 3.7.25 on WordPress. It has been declared as critical. Affected is the function esc_sql of the file /lms/stm-lms/order/items of the component REST API Endpoint. The manipulation of the argument orderby results in sql injection.

This vulnerability is reported as CVE-2026-4817. The attack can be launched remotely. No exploit exists.

It is recommended to upgrade the affected component.VulDB Recent EntriesRead More