15,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in MasterStudy LMS Pro WordPress Plugin

📢 In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.

On May 15th, 2025, we received a submission for an Arbitrary File Upload vulnerability in MasterStudy LMS Pro, a WordPress plugin with more than 15,000 estimated active installations. The MasterStudy Education WordPress theme from ThemeForest with more than 21,000 sales also includes the Pro plugin. This vulnerability makes it possible for authenticated users such as subscribers to upload arbitrary files to a vulnerable site and achieve remote code execution in certain configurations, which is typically leveraged for a complete site takeover. Please note that this vulnerability only critically affects users who have enabled the “Media File Manager” and “Assignments” addons in the Pro plugin, both of which are disabled by default.

Props to Foxyyy who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $703.00 for this discovery, which included a 10% bonus for being a creative vulnerability finder and another 10% bonus for being a meaningful researcher. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 15, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on June 14, 2025.

We provided full disclosure details to the StylemixThemes team on May 15, 2025. The developer released the patch on May 22, 2025. We would like to commend the StylemixThemes team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of MasterStudy LMS Pro, version 4.7.1 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

CVSS Rating
8.8 (High)

CVE-ID
CVE-2025-4800

Affected Versions
<= 4.7.0

Patched Version
4.7.1

Bounty
$703.00

Affected Software

MasterStudy LMS Pro

Affected Software Slug

masterstudy-lms-learning-management-system-pro

Researcher

Foxyyy

The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to a missing file type validation in the stm_lms_add_assignment_attachment function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site’s server, which may make remote code execution possible.

Technical Analysis

MasterStudy LMS Pro is a WordPress plugin, which provides a lot of premium add-ons for the MasterStudy LMS.

Examining the code reveals that the plugin uses the stm_lms_upload_media_library_file() function in the STM_LMS_Media_Library class to upload files to the WordPress media library. This can only be used when the “Media File Manager” addon is enabled, which is disabled by default.

Unfortunately, it was found that capability checks as well as nonce checks were missing in this function in the vulnerable versions. This makes it possible for authenticated attackers with subscriber-level permission to invoke the AJAX action and upload image or document files to the server.

Further examination of the code reveals that the plugin uses the stm_lms_add_assignment_attachment() to assign attachments to posts, and it also copies the file with the specified name. This can only be used when the “Assignments” addon is enabled, which is disabled by default.

function stm_lms_add_assignment_attachment() {
	check_ajax_referer( 'wp_rest', 'nonce' );

	$attachment = $_POST['attachment'];
	$post_id    = intval( $_POST['post_id'] );
	$course_id  = intval( $_POST['course_id'] );
	$is_created = rest_sanitize_boolean( $_POST['is_created'] );
	$is_review  = rest_sanitize_boolean( $_POST['is_review'] );

	if ( isset( $attachment['id'] ) && $post_id ) {
		$is_attached      = false;
		$attachment_id    = intval( $attachment['id'] );
		$attached_post_id = get_post_field( 'post_parent', $attachment_id );

		if ( $attached_post_id > 0 && ! $is_created ) {
			global $wp_filesystem;
			if ( ! is_a( $wp_filesystem, 'WP_Filesystem_Base' ) ) {
				require_once ABSPATH . 'wp-admin/includes/file.php';
				WP_Filesystem();
			}

			$file_path    = get_attached_file( $attachment_id );
			$file_dir     = str_replace( basename( $file_path ), '', $file_path );
			$file_name    = wp_unique_filename( $file_dir, $attachment['filename'] );
			$updated_path = trailingslashit( $file_dir ) . $file_name;

			if ( $wp_filesystem->copy( $file_path, $updated_path, true ) ) {

Unfortunately, the function does not include any file type or extension checks on the destination filename before the copy operation in the vulnerable version. This makes it possible to rename a .png file uploaded to the server via the previously highlighted stm_lms_upload_media_library_file() AJAX function to a .php file using the copy() function in the stm_lms_add_assignment_attachment() AJAX function.

The uploaded file is copied to the WordPress uploads folder, which is publicly accessible by default. This overall makes it possible for attackers, with authenticated access such as subscribers, to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.

As with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.

We would like to draw attention once again to the fact that the vulnerability only critically affects users who have enabled the “Media File Manager” and “Assignments” addons in the Pro plugin, both of which are disabled by default.

The complete exploit process looks like this:

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

The firewall also blocks access to the uploaded file:

Please note this protection only works if the “Disable Code Execution for Uploads directory” option is enabled in the Wordfence Global Options page. We strongly recommend all Wordfence users enable this option.

Disclosure Timeline

May 15, 2025 – We received the submission for the Arbitrary File Upload vulnerability in MasterStudy LMS Pro via the Wordfence Bug Bounty Program.
May 15, 2025 – We validated the report and confirmed the proof-of-concept exploit.
May 15, 2025 – Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
May 15, 2025 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
May 22, 2025 – The fully patched version of the plugin, 4.7.1, was released.
June 14, 2025 – Wordfence Free users will receive the same protection.

Conclusion

In this blog post, we detailed an Arbitrary File Upload vulnerability within the MasterStudy LMS Pro plugin affecting versions 4.7.0 and earlier. This vulnerability allows authenticated threat actors, with minimal permissions, to execute malicious code on the server. The vulnerability has been addressed in version 4.7.1 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of MasterStudy LMS Pro as soon as possible considering this vulnerability is highly likely to be exploited by threat actors.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post 15,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in MasterStudy LMS Pro WordPress Plugin appeared first on Wordfence.

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.