Shared security patch analysis results
AI Used: claude_cli haikuComprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/includes/elementor/widgets/courses/styles/card-wishlist.php 2026-01-08 00:35:18.638709065 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/includes/elementor/widgets/courses/styles/card-wishlist.php 2026-01-08 00:37:56.644278875 +0000@@ -39,7 +39,7 @@ 'label' => esc_html__( 'Icon Filled Color', 'masterstudy-lms-learning-management-system' ), 'type' => Controls_Manager::COLOR, 'selectors' => array(- '{{WRAPPER}} .ms_lms_courses_card_item_info_wishlist .stm-lms-wishlist i.fa.fa-heart' => 'color: {{VALUE}}',+ '{{WRAPPER}} .ms_lms_courses_card_item_info_wishlist .stm-lms-wishlist i.stmlms-heart-2' => 'color: {{VALUE}}', ), ) );
Vulnerability Existed: no
No Vulnerability Identified - [N/A] - card-wishlist.php [42]
Old Code:
```
'{{WRAPPER}} .ms_lms_courses_card_item_info_wishlist .stm-lms-wishlist i.fa.fa-heart' => 'color: {{VALUE}}',
```
Fixed Code:
```
'{{WRAPPER}} .ms_lms_courses_card_item_info_wishlist .stm-lms-wishlist i.stmlms-heart-2' => 'color: {{VALUE}}',
```
Explanation:
This diff represents a CSS selector update changing from a Font Awesome icon class (`fa.fa-heart`) to a custom icon class (`stmlms-heart-2`). This is a styling/UI change with no security implications. The `{{WRAPPER}}` and `{{VALUE}}` are Elementor template variables that are properly escaped by the Elementor framework. The diff does not introduce, remove, or modify any code that handles user input, authentication, authorization, data validation, encryption, or any other security-sensitive operation. This is purely a cosmetic update to icon selection.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/includes/elementor/widgets/courses/styles/popup-wishlist.php 2026-01-08 00:35:18.666710755 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/includes/elementor/widgets/courses/styles/popup-wishlist.php 2026-01-08 00:37:56.704282519 +0000@@ -55,7 +55,7 @@ 'label' => esc_html__( 'Icon Filled Color', 'masterstudy-lms-learning-management-system' ), 'type' => Controls_Manager::COLOR, 'selectors' => array(- '{{WRAPPER}} .ms_lms_courses_card_item_popup_wishlist .stm-lms-wishlist i.fa.fa-heart' => 'color: {{VALUE}}',+ '{{WRAPPER}} .ms_lms_courses_card_item_popup_wishlist .stm-lms-wishlist i.stmlms-heart-2' => 'color: {{VALUE}}', ), ) );
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no Explanation: This diff modifies a CSS selector string in an Elementor widget configuration file. The change updates a Font Awesome icon class selector from `i.fa.fa-heart` to `i.stmlms-heart-2`. This is a cosmetic/styling change with no security implications: - No user input is being processed or evaluated - No SQL queries are being constructed - No file operations or system commands are involved - The change is purely a CSS selector string used for styling purposes - No authentication, authorization, or data handling logic is affected The modification appears to be switching from Font Awesome icon classes to a custom icon class, which is a standard UI maintenance task. There are no injection vulnerabilities, access control issues, or other security concerns present in either the old or new code.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/includes/elementor/widgets/stm_lms_membership_levels.php 2026-01-08 00:35:18.714713654 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/includes/elementor/widgets/stm_lms_membership_levels.php 2026-01-08 00:37:56.928296126 +0000@@ -203,7 +203,7 @@ 'label' => esc_html__( 'Plan items icons', 'masterstudy-lms-learning-management-system' ), 'type' => \Elementor\Controls_Manager::ICONS, 'default' => array(- 'value' => 'fas fa-check-circle',+ 'value' => 'stmlms-check-3-circle', 'library' => 'fa-solid', ), )@@ -987,7 +987,7 @@ 'button_position' => $settings['button_position'] ?? 'before_level_items', 'level_mark_list' => $settings['level_mark_list'], 'level_items_icons' => $settings['level_items_icons'] ?? array(- 'value' => 'fas fa-check-circle',+ 'value' => 'stmlms-check-3-circle', 'library' => 'fa-solid', ), );
Vulnerability Existed: no No Security Vulnerabilities Identified - _core/includes/elementor/widgets/stm_lms_membership_levels.php This diff updates icon references from Font Awesome icons to custom SVG icons within the masterstudy-lms plugin. The changes are: **Line 206:** `'value' => 'fas fa-check-circle'` → `'value' => 'stmlms-check-3-circle'` **Line 990:** `'value' => 'fas fa-check-circle'` → `'value' => 'stmlms-check-3-circle'` **Explanation:** These changes only modify icon class identifiers used for UI rendering in Elementor widget controls. The modifications are: - String literal replacements with no dynamic input or code execution - No change to escaping, validation, or sanitization logic - No access to sensitive data, database queries, or file operations - No authentication or authorization changes - No injection points created or removed - The icon identifiers are used for frontend display only and do not affect security posture This is a cosmetic/branding update with no security implications. No vulnerabilities (CWE/CVE) exist in this diff.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/includes/elementor/widgets/stm_lms_profile_auth_links.php 2026-01-08 00:35:18.714713654 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/includes/elementor/widgets/stm_lms_profile_auth_links.php 2026-01-08 00:37:56.932296369 +0000@@ -865,7 +865,7 @@ ?> <a href="<?php echo esc_url( $settings['auth_links_btn_link']['url'] ); ?>" class="ms-lms-authorization"> <span class="ms-lms-authorization-icon">- <i class="<?php echo esc_attr( ! empty( $settings['profile_lms_icon']['value'] ) ? $settings['profile_lms_icon']['value'] : 'fas fa-user' ); ?>" aria-hidden="true"></i>+ <i class="<?php echo esc_attr( ! empty( $settings['profile_lms_icon']['value'] ) ? $settings['profile_lms_icon']['value'] : 'stmlms-user-2' ); ?>" aria-hidden="true"></i> </span> <a href="<?php echo esc_url( $settings['auth_links_btn_link']['url'] ); ?>"> <span class="ms-lms-authorization-title">
Vulnerability Existed: no No CWE Vulnerability Identified Old Code: ```php <i class="<?php echo esc_attr( ! empty( $settings['profile_lms_icon']['value'] ) ? $settings['profile_lms_icon']['value'] : 'fas fa-user' ); ?>" aria-hidden="true"></i> ``` Fixed Code: ```php <i class="<?php echo esc_attr( ! empty( $settings['profile_lms_icon']['value'] ) ? $settings['profile_lms_icon']['value'] : 'stmlms-user-2' ); ?>" aria-hidden="true"></i> ``` Explanation: This diff changes the default icon class from 'fas fa-user' (Font Awesome) to 'stmlms-user-2' (custom icon). Both versions properly use `esc_attr()` to escape the output before inserting it into an HTML attribute, which prevents XSS vulnerabilities. The change is a cosmetic update to use a different icon library/set and does not introduce or fix any security vulnerabilities. The security measure (output escaping) was already in place in the original code and remains in the fixed code.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/includes/elementor/widgets/stm_lms_testimonials_carousel.php 2026-01-08 00:35:18.714713654 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/includes/elementor/widgets/stm_lms_testimonials_carousel.php 2026-01-08 00:37:56.936296612 +0000@@ -1010,7 +1010,7 @@ $html .= '<div class="ms-lms-starter-theme-testimonials">'; foreach ( $testimonials_data as $testimonial ) { $html .= '<div class="stm_testimonials_single" >- <div class="stars" ><i class="fa fa-star" ></i ></div>+ <div class="stars" ><i class="stmlms-star-3" ></i ></div> <div class="testimonials_title h3" >' . sanitize_text_field( $testimonial['title'] ) . '</div>
Vulnerability Existed: no No CWE - No Security Vulnerability - stm_lms_testimonials_carousel.php - Line 1013 Old Code: ```php <div class="stars" ><i class="fa fa-star" ></i ></div> ``` Fixed Code: ```php <div class="stars" ><i class="stmlms-star-3" ></i ></div> ``` Explanation: This change replaces a Font Awesome icon class (`fa fa-star`) with a custom icon class (`stmlms-star-3`). This is not a security fix but rather a presentation/styling change. The modification involves updating the CSS class used for rendering a star icon in the testimonials carousel widget. Since the change only affects the visual presentation layer (HTML class attributes) and does not involve any input validation, data sanitization, authentication, authorization, or data processing changes, there is no security vulnerability being fixed or introduced here. The existing code already uses `sanitize_text_field()` for the testimonial title, which was not modified.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/includes/elementor/widgets/testimonials/styles/style_1.php 2026-01-08 00:35:18.718713895 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/includes/elementor/widgets/testimonials/styles/style_1.php 2026-01-08 00:37:56.940296855 +0000@@ -34,7 +34,7 @@ data-thumbnail="<?php echo isset( $thumbnail_img[0] ) ? esc_attr( $thumbnail_img[0] ) : ''; ?>"> <?php if ( $testimonial['review_rating'] > 0 ) : ?> <div class="ms-lms-testimonial-review-rating">- <?php echo wp_kses_post( str_repeat( '<i class="fa fa-star"></i>', intval( $testimonial['review_rating'] ) ) ); ?>+ <?php echo wp_kses_post( str_repeat( '<i class="stmlms-star-3"></i>', intval( $testimonial['review_rating'] ) ) ); ?> </div> <?php endif; ?> <div class="author-name"><?php echo esc_html( $testimonial['author_name'] ); ?></div>
Vulnerability Existed: no No Security Vulnerability - [File] _core/includes/elementor/widgets/testimonials/styles/style_1.php [Line 37] Old Code: ```php <?php echo wp_kses_post( str_repeat( '<i class="fa fa-star"></i>', intval( $testimonial['review_rating'] ) ) ); ?> ``` Fixed Code: ```php <?php echo wp_kses_post( str_repeat( '<i class="stmlms-star-3"></i>', intval( $testimonial['review_rating'] ) ) ); ?> ``` Explanation: This change replaces the Font Awesome star icon class (`fa fa-star`) with a custom theme icon class (`stmlms-star-3`). Both the old and new code properly sanitize output using `wp_kses_post()`, which strips unsafe HTML while preserving safe markup. The `intval()` function safely converts the rating to an integer, preventing injection attacks. This is a cosmetic/styling change (replacing icon class names) with no security implications. The code remains secure in both versions.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/includes/elementor/widgets/testimonials/styles/style_2.php 2026-01-08 00:35:18.718713895 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/includes/elementor/widgets/testimonials/styles/style_2.php 2026-01-08 00:37:56.944297098 +0000@@ -24,7 +24,7 @@ </div> <?php if ( $testimonial['review_rating'] > 0 ) : ?> <div class="ms-lms-testimonial-review-rating">- <?php echo wp_kses_post( str_repeat( '<i class="fa fa-star"></i>', intval( $testimonial['review_rating'] ) ) ); ?>+ <?php echo wp_kses_post( str_repeat( '<i class="stmlms-star-3"></i>', intval( $testimonial['review_rating'] ) ) ); ?> </div> <?php endif; ?> <div class="author-name"><?php echo esc_html( $testimonial['author_name'] ); ?></div>
Analyzing the provided code diff for security vulnerabilities: --- **Vulnerability Existed: no** **No Security Vulnerability - CWE-79 (Cross-Site Scripting) Prevention** - style_2.php Line 27 **Old Code:** ```php <?php echo wp_kses_post( str_repeat( '<i class="fa fa-star"></i>', intval( $testimonial['review_rating'] ) ) ); ?> ``` **Fixed Code:** ```php <?php echo wp_kses_post( str_repeat( '<i class="stmlms-star-3"></i>', intval( $testimonial['review_rating'] ) ) ); ?> ``` **Explanation:** Both the old and new code are secure. The change replaces the Font Awesome star icon class `fa fa-star` with a custom class `stmlms-star-3`. Since both versions: 1. Use `wp_kses_post()` to sanitize the output, which allows only safe HTML tags and attributes 2. Use `intval()` to ensure the repeat count is a safe integer 3. Construct a static HTML string (only the class name changes, which is a static string) There is no XSS vulnerability in either version. The change is purely a CSS class replacement (likely for custom styling) and maintains the same security posture. No vulnerability was fixed because none existed in the original code. ---
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/includes/elementor/widgets/testimonials/styles/style_3.php 2026-01-08 00:35:18.718713895 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/includes/elementor/widgets/testimonials/styles/style_3.php 2026-01-08 00:37:56.944297098 +0000@@ -32,7 +32,7 @@ </div> <?php if ( $testimonial['review_rating'] > 0 ) : ?> <div class="ms-lms-testimonial-review-rating">- <?php echo wp_kses_post( str_repeat( '<i class="fa fa-star"></i>', intval( $testimonial['review_rating'] ) ) ); ?>+ <?php echo wp_kses_post( str_repeat( '<i class="stmlms-star-3"></i>', intval( $testimonial['review_rating'] ) ) ); ?> </div> <?php endif; ?> <div class="author-name"><?php echo esc_html( $testimonial['author_name'] ); ?></div>
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no Explanation: This diff does not introduce or fix a security vulnerability. The change is purely cosmetic: - **Old Code**: Uses Font Awesome icon class `fa fa-star` - **Fixed Code**: Uses custom icon class `stmlms-star-3` Both versions are already protected by `wp_kses_post()`, which sanitizes HTML output by allowing only safe tags and attributes. The function will strip any dangerous content regardless of which icon class is used. The change from Font Awesome to a custom icon class is a styling/branding decision with no security implications. The sanitization remains consistent before and after the modification.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/includes/starter-theme/templates/setup-start.php 2026-01-08 00:35:18.754716068 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/includes/starter-theme/templates/setup-start.php 2026-01-08 00:37:57.008300985 +0000@@ -29,8 +29,8 @@ </a> <button class="stm-lms-pro-button main-btn buttonload button starter_install_theme_btn" name="starter_install_theme_btn"> <span class="ui-button-text"> <?php echo esc_html( __( 'Install Now', 'masterstudy-lms-learning-management-system' ) ); ?></span>- <i class="fa fa-refresh fa-spin installing"></i>- <i class="fa fa-check downloaded" aria-hidden="true"></i>+ <i class="stmlms-refresh-2 stmlms-spin installing"></i>+ <i class="stmlms-check-3 downloaded" aria-hidden="true"></i> </button> </div> </div>
Vulnerability Existed: no No vulnerabilities detected in this diff. Explanation: This diff shows a change in CSS class names for icon elements in a WordPress/PHP template file. The modification replaces Font Awesome icon classes (`fa fa-refresh fa-spin` and `fa fa-check`) with custom icon classes (`stmlms-refresh-2 stmlms-spin` and `stmlms-check-3`). This is a purely presentational change that updates the styling/icon library used for UI elements. There are no security implications, as no sensitive data handling, input validation, authentication, authorization, or other security-critical logic is involved. The change does not introduce or fix any vulnerabilities related to injection attacks, XSS, CSRF, or other OWASP Top 10 risks.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/init.php 2026-01-08 00:35:18.810719450 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/init.php 2026-01-08 00:37:57.208313135 +0000@@ -3,7 +3,7 @@ define( 'STM_LMS_DIR', __DIR__ ); define( 'STM_LMS_PATH', dirname( STM_LMS_FILE ) ); define( 'STM_LMS_URL', plugin_dir_url( STM_LMS_FILE ) );-define( 'STM_LMS_VERSION', '3.7.6' );+define( 'STM_LMS_VERSION', '3.7.7' ); define( 'STM_LMS_DB_VERSION', '3.7.5' ); define( 'STM_LMS_BASE_API_URL', '/wp-json/lms' ); define( 'STM_LMS_LIBRARY', STM_LMS_PATH . '/libraries' );
Vulnerability Existed: no No Vulnerability Detected - Version Number Update - _core/init.php Lines 6 Old Code: define( 'STM_LMS_VERSION', '3.7.6' ); Fixed Code: define( 'STM_LMS_VERSION', '3.7.7' ); Explanation: This diff shows a simple version number increment from 3.7.6 to 3.7.7 in a WordPress plugin's initialization file. This is a routine version update with no security implications. Version constants are metadata that identify the plugin release and do not introduce, fix, or relate to any security vulnerabilities. This change does not involve code logic, input handling, authentication, encryption, access control, or any other security-sensitive operations.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/libraries/nuxy/NUXY.php 2026-01-08 00:35:19.666771132 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/libraries/nuxy/NUXY.php 2026-01-08 00:37:59.280439007 +0000@@ -3,7 +3,7 @@ * Framework Name: NUXY * Framework URI: https://github.com/StylemixThemes/nuxy * Description: WordPress Custom Fields & Theme Options with Vue.js.- * Version: 4.4.44+ * Version: 4.4.41 * License: http://www.gnu.org/licenses/gpl-3.0.html * Author: StylemixThemes * Author URI: https://stylemixthemes.com@@ -24,7 +24,7 @@ if ( ! class_exists( 'Stylemix_NUXY' ) && __FILE__ === $max_version[0] ) { - define( 'STM_WPCFTO_VERSION', '4.4.44' );+ define( 'STM_WPCFTO_VERSION', '4.4.41' ); define( 'STM_WPCFTO_FILE', __FILE__ ); define( 'STM_WPCFTO_PATH', dirname( STM_WPCFTO_FILE ) ); define( 'STM_WPCFTO_URL', plugin_dir_url( STM_WPCFTO_FILE ) );
Based on my analysis of the provided code diff, here is my assessment: **Vulnerability Existed: no** **No Vulnerabilities Detected** **Explanation:** This diff contains only version number changes from `4.4.44` to `4.4.41` in two locations within the NUXY.php file (the file header comment and a constant definition). These are purely cosmetic/metadata changes with no security implications. There are no: - Changes to executable code logic - Modifications to security-sensitive functions - Alterations to input validation, sanitization, or authentication mechanisms - Changes to access control or permission handling - Modifications to cryptographic operations - Changes to database queries or data handling Version numbering itself does not introduce or fix security vulnerabilities. This appears to be a version rollback or correction in the metadata, which is an administrative change without security risk.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/libraries/nuxy/metaboxes/metabox.php 2026-01-08 00:35:19.666771132 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/libraries/nuxy/metaboxes/metabox.php 2026-01-08 00:37:59.280439007 +0000@@ -627,10 +627,6 @@ $dependency = "v-bind:class=\"{'wpcfto-disabled-field' : {$dependencies}}\""; } - if ( ! empty( $field['dependency_mode'] ) && 'always_on' === $field['dependency_mode'] ) {- $dependency = "v-bind:class=\"{'wpcfto-always-on' : {$dependencies}}\"";- }- return $dependency; } @@ -664,7 +660,7 @@ function wpcfto_metaboxes_display_single_field( $section, $section_name, $field, $field_name, $metabox_id = null ) { $dependency = wpcfto_metaboxes_deps( $field, $section_name );- $width = 'column-' . ( isset( $field['column'] ) ? $field['column'] : 1 );+ $width = 'column-1'; $is_pro = ( ! empty( $field['pro'] ) ) ? 'is_pro' : 'not_pro'; $vars = ( ! empty( $field['vars'] ) ) ? $field['vars'] : ''; $disable = ( ! empty( $field['disable'] ) ) ? 'is_disabled' : '';@@ -756,7 +752,6 @@ function wpcfto_metaboxes_display_group_field( $section, $section_name, $field, $field_name ) { if ( 'started' === $field['group'] ) :- $column = isset( $field['column'] ) ? $field['column'] : 1; $group_data = ''; @@ -764,7 +759,7 @@ $group_data = 'data-dependency=' . json_encode( $field['dependency'] ); } - $group_classes = array( 'wpcfto-box wpcfto_group_started column-' . $column );+ $group_classes = array( 'wpcfto-box wpcfto_group_started column-1' ); if ( ! empty( $field['submenu'] ) ) { $group_classes[] = sanitize_title( "{$section_name}_{$field['submenu']}" ); }
Based on my analysis of the code diff, here are the security findings:
---
**Vulnerability 1:**
Vulnerability Existed: not sure
CWE-94 (Code Injection) / CWE-79 (Cross-site Scripting) - CWE-94, CWE-79 - _core/libraries/nuxy/metaboxes/metabox.php, Lines 641, 643, 652, 655, 659
Old Code:
```php
$dependency = "data['{$section_name}']['fields']['{$key}']['value']";
// ... and similar patterns with unsanitized $section_name, $key, $compare in string interpolation
```
Fixed Code:
```php
// Removed the 'always_on' dependency mode condition entirely
// Lines 630-632 removed
```
Explanation:
The diff removes the 'always_on' dependency mode handling, but the primary vulnerability concern persists in the remaining code. The `wpcfto_metaboxes_generate_deps()` function (lines 637-663 in v3.7.6, 633-659 in v3.7.7) constructs JavaScript code by directly interpolating user-controlled values (`$section_name`, `$key`, `$compare`) into strings without proper escaping. These interpolated strings are returned and later output to HTML via `esc_attr()`, which only escapes HTML attributes, not JavaScript expressions. This could allow JavaScript injection if an attacker can control field dependencies, keys, or comparison values. The removal of the 'always_on' mode reduces attack surface but doesn't fix the underlying injection vulnerability.
---
**Vulnerability 2:**
Vulnerability Existed: no
CWE-20 (Improper Input Validation) - CWE-20 - _core/libraries/nuxy/metaboxes/metabox.php, Lines 667 & 759
Old Code:
```php
$width = 'column-' . ( isset( $field['column'] ) ? $field['column'] : 1 );
$column = isset( $field['column'] ) ? $field['column'] : 1;
$group_classes = array( 'wpcfto-box wpcfto_group_started column-' . $column );
```
Fixed Code:
```php
$width = 'column-1';
$group_classes = array( 'wpcfto-box wpcfto_group_started column-1' );
```
Explanation:
The old code dynamically constructed CSS class names by concatenating the `$field['column']` value without validation. This could potentially allow injection of arbitrary CSS classes or values if `$field['column']` contains malicious input. The fix hardcodes `column-1`, eliminating the vulnerability by removing user input from the class name construction entirely. This is a legitimate security improvement that prevents CSS class injection attacks.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/libraries/support-page/config/default.php 2026-01-08 00:35:19.962789004 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/libraries/support-page/config/default.php 2026-01-08 00:38:00.456510451 +0000@@ -27,7 +27,7 @@ $has_promo = array_filter( $notice['post_terms']['type_category'], function( $cat ) { return isset( $cat['slug'] ) && 'promo' === $cat['slug']; } );-+ if ( ! empty( $has_promo ) ) { $promo_notice = $notice; break;@@ -140,29 +140,6 @@ ), ), ),- 'hosting' => array(- 'class' => 'help-item-full-width help-item-hosting',- 'description' => sprintf(- __( 'Enterprise-Grade Hosting from %1$s %2$s ', 'support-page' ),- '<span>' . __( 'just $29', 'support-page' ) . '</span>',- '<small>' . __( 'Without the Hyper Costs.', 'support-page' ) . '</small>',- ),- 'show_hosting' => false,- 'logo' => SUPPORT_PAGE_URL . 'assets/images/integrations/rapyd.png',- 'logo-alt' => 'Rapyd',- 'logo-width' => '190',- 'logo-height' => '41',- 'buttons' => array(- array(- 'label' => __( 'Get Deal', 'support-page' ),- 'href' => 'https://rapyd.cloud/pricing/?fpr=stylemixthemes ',- 'type' => 'pink',- ),- ),- 'image' => SUPPORT_PAGE_URL . 'assets/images/hosting-bg.jpg',- 'image-width' => '1110',- 'image-height' => '142',- ), 'features' => array( 'class' => 'help-item-full-width help-item-features', 'title' => '',
Vulnerability Existed: no No CWE - N/A - _core/libraries/support-page/config/default.php N/A N/A Explanation: This diff contains only non-security changes: 1. A whitespace normalization (line 30: trailing whitespace removal) 2. Removal of a 'hosting' configuration array block (lines 143-166) that contained a third-party service integration (Rapyd) with a promotional link The removal of the hosting configuration section does not address any security vulnerabilities. It appears to be a feature removal or configuration cleanup. The URL referenced (https://rapyd.cloud/pricing/?fpr=stylemixthemes) is a legitimate affiliate/partnership link, not a vulnerability. There are no injection flaws, authentication issues, cryptographic weaknesses, or other OWASP vulnerabilities present in either the old or new code.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/libraries/support-page/templates/main.php 2026-01-08 00:35:19.974789728 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/libraries/support-page/templates/main.php 2026-01-08 00:38:00.464510937 +0000@@ -20,17 +20,10 @@ </header> <section class="help-grid"> <?php- foreach ( $data['help_items'] as $key => $item ) :+ foreach ( $data['help_items'] as $item ) : $pro = $item['has-pro'] ?? ''; $pro_plus = $item['has-pro-plus'] ?? ''; $title_pro = $item['title_pro'] ?? '';- $show_host = $item['show_hosting'] ?? '';- $logo = $item['logo'] ?? '';-- if ( 'hosting' === $key && empty( $show_host ) ) {- continue;- }- if ( empty( $item ) || ! is_array( $item ) || ( empty( $item['has-pro-notice'] ) && ( isset( $pro_plus ) && true === $pro_plus ) ) ) {@@ -42,10 +35,6 @@ <div class="icon <?php echo esc_attr( $item['icon'] ); ?>"></div> <?php endif;- if ( ! empty( $logo ) ) : ?>- <img src="<?php echo esc_url( $item['logo'] ) ; ?>" width="<?php echo esc_attr( $item['logo-width'] ); ?>" height="<?php echo esc_attr( $item['logo-height'] ); ?>" class="help-item-logo" alt="<?php echo esc_attr( $item['logo-alt'] ); ?>">- <?php- endif; if ( ! empty( $item['title'] ) ) : ?> <h3>@@ -124,7 +113,7 @@ } if ( ! empty( $item['image'] ) ) : ?>- <div class="image"><img src="<?php echo esc_url( $item['image'] ); ?>" width="<?php echo esc_attr( $item['image-width'] ); ?>" height="<?php echo esc_attr( $item['image-height'] ); ?>" alt="<?php echo esc_attr( $item['title'] ); ?>"></div>+ <div class="image"><img src="<?php echo esc_url( $item['image'] ); ?>" width="<?php echo esc_attr( $item['image-width'] ); ?>" alt="<?php echo esc_attr( $item['image-height'] ); ?>" alt="<?php echo esc_attr( $item['title'] ); ?>"></div> <?php endif; ?> </div> <?php
I'll analyze this code diff for security vulnerabilities following the specified format.
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - _core/libraries/support-page/templates/main.php - Line 45
**Old Code:**
```php
if ( ! empty( $logo ) ) : ?>
<img src="<?php echo esc_url( $item['logo'] ) ; ?>" width="<?php echo esc_attr( $item['logo-width'] ); ?>" height="<?php echo esc_attr( $item['logo-height'] ); ?>" class="help-item-logo" alt="<?php echo esc_attr( $item['logo-alt'] ); ?>">
<?php
endif;
```
**Fixed Code:**
```php
(Code block removed entirely)
```
Explanation:
The original code contained proper escaping with `esc_url()`, `esc_attr()` functions, which are WordPress security functions. However, the removal of this code eliminates a potential attack surface. If the `$item['logo']`, `$item['logo-width']`, `$item['logo-height']`, or `$item['logo-alt']` values were not properly validated at the data source, they could be manipulated. The removal reduces complexity and eliminates this specific output vector, making the template more secure by default.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - _core/libraries/support-page/templates/main.php - Line 116
**Old Code:**
```php
<div class="image"><img src="<?php echo esc_url( $item['image'] ); ?>" width="<?php echo esc_attr( $item['image-width'] ); ?>" height="<?php echo esc_attr( $item['image-height'] ); ?>" alt="<?php echo esc_attr( $item['title'] ); ?>"></div>
```
**Fixed Code:**
```php
<div class="image"><img src="<?php echo esc_url( $item['image'] ); ?>" width="<?php echo esc_attr( $item['image-width'] ); ?>" alt="<?php echo esc_attr( $item['image-height'] ); ?>" alt="<?php echo esc_attr( $item['title'] ); ?>"></div>
```
Explanation:
This change introduces a **new vulnerability** rather than fixing one. The `height` attribute has been incorrectly replaced with another `alt` attribute. This creates invalid HTML with duplicate `alt` attributes. More critically, the `height` value `$item['image-height']` is now being output in the `alt` attribute without proper context. While `esc_attr()` provides escaping, using image dimensions in the alt text is semantically incorrect and could expose internal data. This appears to be a regression or accidental modification rather than a security improvement.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/lms/admin_helpers.php 2026-01-08 00:35:19.982790211 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/lms/admin_helpers.php 2026-01-08 00:38:00.524514583 +0000@@ -9,8 +9,8 @@ stm_lms_register_script( 'admin/lms_sub_menu' ); /** enqueue styles **/+ wp_enqueue_style( 'stm_lms_icons', STM_LMS_URL . 'assets/icons/style.css', null, STM_LMS_VERSION ); wp_enqueue_style( 'stm_lms_starter_theme', STM_LMS_URL . 'includes/starter-theme/assets/main.css', array( 'wp-admin' ), $version );- wp_enqueue_style( 'font-awesome-min', STM_LMS_URL . 'assets/vendors/font-awesome.min.css', null, $version, 'all' ); /** enqueue javascript **/ wp_enqueue_script( 'stm_lms_starter_theme', STM_LMS_URL . 'includes/starter-theme/assets/main.js', array( 'jquery-core' ), $version, true );@@ -52,7 +52,6 @@ /** Add icons for gutenberg blocks */ function stm_lms_gutenberg_block_styles() { wp_enqueue_style( 'stm_lms_icons', STM_LMS_URL . 'assets/icons/style.css', null, STM_LMS_VERSION );- wp_enqueue_style( 'font-awesome-min', STM_LMS_URL . 'assets/vendors/font-awesome.min.css', null, STM_LMS_VERSION, 'all' ); wp_enqueue_style( 'linear', STM_LMS_URL . 'libraries/nuxy/taxonomy_meta/assets/linearicons/linear.css', null, STM_LMS_VERSION, 'all' ); } @@ -99,7 +98,6 @@ $user->add_cap( 'read_elementor_libraries' ); } }- } add_action( 'init', 'stm_lms_add_theme_caps' ); @@ -123,7 +121,7 @@ add_action( 'wp_ajax_stm_lms_hide_announcement',- function() {+ function () { check_ajax_referer( 'stm_lms_hide_announcement', 'nonce' ); set_transient( 'stm_lms_app_notice', '1', MONTH_IN_SECONDS ); }@@ -157,7 +155,6 @@ set_transient( 'stm_masterstudy-lms-learning-management-system_single_notice_setting', $data ); update_option( 'stm_lms_course_created', true ); }- }, 20, 3
I'll analyze the provided code diff for security vulnerabilities. Vulnerability Existed: no N/A - No security vulnerabilities identified N/A N/A Explanation: The diff shows only non-security changes: 1. Reordering of wp_enqueue_style calls (lines 12-14) - moving 'stm_lms_icons' before 'stm_lms_starter_theme' 2. Removal of 'font-awesome-min' stylesheet enqueueing in two locations (lines 15 and 55) - this is a dependency cleanup, not a security fix 3. Whitespace/formatting adjustments (removing blank lines at lines 101, 158) 4. Minor code style change (adding space in anonymous function declaration at line 126: `function()` → `function ()`) None of these changes address or introduce security vulnerabilities. The removal of font-awesome references is a code cleanup measure but doesn't fix any CWE or security issue. All changes are cosmetic or dependency management related.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/lms/classes/helpers.php 2026-01-08 00:35:19.998791177 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/lms/classes/helpers.php 2026-01-08 00:38:00.596518957 +0000@@ -1166,4 +1166,14 @@ return $interval_label; }++ public static function enqueue_font_awesome_icons() {+ $elementor_main = WP_PLUGIN_DIR . '/elementor/elementor.php';+ $wpbakery = WP_PLUGIN_DIR . '/js_composer/js_composer.php';+ $base = STM_LMS_URL . 'libraries/nuxy/metaboxes/assets/'; // Rewrite STM_WPCFTO_URL++ if ( file_exists( $elementor_main ) || file_exists( $wpbakery ) ) {+ wp_enqueue_style( 'font-awesome-min', $base . 'vendors/font-awesome.min.css', null, MS_LMS_VERSION );+ }+ } }
I'll analyze this code diff for security vulnerabilities.
Vulnerability Existed: yes
FALSE POSITIVE
[CWE-434: Unrestricted Upload of File with Dangerous Type / CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval')] - [CWE-434, CWE-95] - _core/lms/classes/helpers.php [Lines 1169-1177]
Old Code:
```
[Function did not exist]
```
Fixed Code:
```
public static function enqueue_font_awesome_icons() {
$elementor_main = WP_PLUGIN_DIR . '/elementor/elementor.php';
$wpbakery = WP_PLUGIN_DIR . '/js_composer/js_composer.php';
$base = STM_LMS_URL . 'libraries/nuxy/metaboxes/assets/'; // Rewrite STM_WPCFTO_URL
if ( file_exists( $elementor_main ) || file_exists( $wpbakery ) ) {
wp_enqueue_style( 'font-awesome-min', $base . 'vendors/font-awesome.min.css', null, MS_LMS_VERSION );
}
}
```
Explanation:
This is a new function addition rather than a fix. The code contains a **Path Traversal / Arbitrary File Inclusion vulnerability (CWE-22)**. The `$base` variable constructs a URL path using `STM_LMS_URL . 'libraries/nuxy/metaboxes/assets/'`, and then appends `'vendors/font-awesome.min.css'` to it.
**Security Issue**: If an attacker can control or manipulate the `STM_LMS_URL` constant, or if the assets directory is web-accessible and writable, they could potentially enqueue malicious CSS files. Additionally, there's no validation that the final URL is within the expected directory - an attacker could potentially use path traversal sequences like `../` to load CSS from arbitrary locations.
**Recommendation**:
1. Use `wp_normalize_path()` to sanitize the path
2. Validate that the resolved path is within the expected assets directory
3. Use absolute filesystem paths instead of URL construction, then convert to proper URL with `plugins_url()` or similar WordPress functions
4. Implement proper access controls on the assets directory
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/lms/classes/students.php 2026-01-08 00:35:20.026792869 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/lms/classes/students.php 2026-01-08 00:38:00.648522116 +0000@@ -20,7 +20,7 @@ 'slug' => 'enrolled-students', 'lms_template' => 'stm-lms-enrolled-students', 'menu_title' => esc_html__( 'Students', 'masterstudy-lms-learning-management-system' ),- 'menu_icon' => 'fa-user',+ 'menu_icon' => 'stmlms-user-2', 'menu_url' => ms_plugin_user_account_url( 'enrolled-students' ), 'menu_place' => 'main', );
Vulnerability Existed: no No Vulnerability Identified - Configuration Change File: _core/lms/classes/students.php [Line 23] Old Code: ``` 'menu_icon' => 'fa-user', ``` Fixed Code: ``` 'menu_icon' => 'stmlms-user-2', ``` Explanation: This is a benign configuration change updating the menu icon identifier from 'fa-user' (Font Awesome icon class) to 'stmlms-user-2' (custom icon class). This is a UI/presentation layer modification with no security implications. There are no input validation issues, no injection vectors, no authentication/authorization bypasses, and no exposure of sensitive data. This change simply updates which icon asset is displayed in the user interface menu.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/lms/classes/user.php 2026-01-08 00:35:20.030793110 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/lms/classes/user.php 2026-01-08 00:38:00.652522359 +0000@@ -1082,7 +1082,7 @@ $user_id = $user['id']; $r = array(- 'icon' => 'far fa-heart',+ 'icon' => 'stmlms-heart-3', 'text' => esc_html__( 'Add to wishlist', 'masterstudy-lms-learning-management-system' ), ); @@ -1094,7 +1094,7 @@ if ( ! in_array( $post_id, $wishlist ) ) { // phpcs:ignore WordPress.PHP.StrictInArray.MissingTrueStrict $wishlist[] = $post_id; $r = array(- 'icon' => 'fa fa-heart',+ 'icon' => 'stmlms-heart-2', 'text' => esc_html__( 'Remove from wishlist', 'masterstudy-lms-learning-management-system' ), ); } else {
``` Vulnerability Existed: no No vulnerabilities detected in this code diff. Explanation: This diff contains only a change to icon class names in the wishlist functionality: - Line 1085: 'far fa-heart' → 'stmlms-heart-3' - Line 1097: 'fa fa-heart' → 'stmlms-heart-2' These are purely cosmetic/UI changes replacing Font Awesome icon classes with custom theme icon classes. There are no security implications: - No user input is being processed - No authentication/authorization logic is modified - No sensitive data handling is involved - No SQL queries, file operations, or external API calls are affected - The changes do not introduce any new code paths or vulnerability vectors This is a safe, non-security-related UI update. ```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/lms/classes/user_menu.php 2026-01-08 00:35:20.030793110 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/lms/classes/user_menu.php 2026-01-08 00:38:00.652522359 +0000@@ -208,7 +208,7 @@ 'id' => 'dashboard', 'lms_template' => 'stm-lms-user', 'menu_title' => esc_html__( 'Dashboard', 'masterstudy-lms-learning-management-system' ),- 'menu_icon' => 'fa-tachometer-alt',+ 'menu_icon' => 'stmlms-tachometer-alt', 'menu_url' => STM_LMS_User::login_page_url(), 'is_active' => ( ! empty( $settings['user_url'] ) ) ? $settings['user_url'] : '', 'menu_place' => 'main',@@ -228,7 +228,7 @@ 'slug' => 'edit-course', 'lms_template' => 'course-builder', 'menu_title' => esc_html__( 'Add Course', 'masterstudy-lms-learning-management-system' ),- 'menu_icon' => 'fa-plus',+ 'menu_icon' => 'stmlms-plus-2', 'menu_url' => ms_plugin_manage_course_url(), 'menu_place' => 'main', );@@ -241,7 +241,7 @@ 'slug' => 'enrolled-courses', 'lms_template' => 'stm-lms-user-courses', 'menu_title' => esc_html__( 'Enrolled Courses', 'masterstudy-lms-learning-management-system' ),- 'menu_icon' => 'fa-book',+ 'menu_icon' => 'stmlms-book-2', 'menu_url' => ms_plugin_user_account_url( 'enrolled-courses' ), 'is_active' => ( ! $is_instructor && intval( $settings['user_url'] ?? null ) === get_queried_object_id() ), 'menu_place' => 'learning',@@ -254,7 +254,7 @@ 'slug' => 'settings', 'lms_template' => 'stm-lms-user-settings', 'menu_title' => esc_html__( 'Settings', 'masterstudy-lms-learning-management-system' ),- 'menu_icon' => 'fa-cog',+ 'menu_icon' => 'stmlms-cog-2', 'menu_url' => ms_plugin_user_account_url( 'settings' ), 'menu_place' => 'learning', );@@ -267,7 +267,7 @@ 'slug' => 'chat', 'lms_template' => 'stm-lms-user-chats', 'menu_title' => esc_html__( 'Messages', 'masterstudy-lms-learning-management-system' ),- 'menu_icon' => 'fa-envelope',+ 'menu_icon' => 'stmlms-envelope-2', 'menu_url' => ms_plugin_user_account_url( 'chat' ), 'badge_count' => STM_LMS_Chat::user_new_messages( $user_id ), 'menu_place' => 'learning',@@ -280,7 +280,7 @@ 'slug' => 'wishlist', 'lms_template' => 'stm-lms-wishlist', 'menu_title' => esc_html__( 'Wishlist', 'masterstudy-lms-learning-management-system' ),- 'menu_icon' => 'fa-star',+ 'menu_icon' => 'stmlms-star-3', 'menu_url' => STM_LMS_User::wishlist_url(), 'is_active' => ( ! empty( $settings['wishlist_url'] ) ) ? $settings['wishlist_url'] : '', 'menu_place' => 'learning',@@ -291,7 +291,7 @@ 'slug' => 'enrolled-quizzes', 'lms_template' => 'stm-lms-user-quizzes', 'menu_title' => esc_html__( 'Enrolled Quizzes', 'masterstudy-lms-learning-management-system' ),- 'menu_icon' => 'fa-question',+ 'menu_icon' => 'stmlms-question-2', 'menu_url' => ms_plugin_user_account_url( 'enrolled-quizzes' ), 'menu_place' => 'learning', );@@ -301,7 +301,7 @@ 'slug' => 'my-orders', 'lms_template' => 'stm-lms-user-orders', 'menu_title' => esc_html__( 'My Orders', 'masterstudy-lms-learning-management-system' ),- 'menu_icon' => 'fa-shopping-basket',+ 'menu_icon' => 'stmlms-shopping-basket', 'menu_url' => ms_plugin_user_account_url( 'my-orders' ), 'menu_place' => 'learning', );@@ -313,7 +313,7 @@ 'slug' => 'memberships-pmp', 'lms_template' => 'stm-lms-user-pmp', 'menu_title' => esc_html__( 'Memberships', 'masterstudy-lms-learning-management-system' ),- 'menu_icon' => 'fa-address-card',+ 'menu_icon' => 'stmlms-address-card', 'menu_url' => STM_LMS_User::my_pmpro_url(), 'menu_place' => 'learning', );
# Security Analysis Results **Vulnerability Existed: no** **No Vulnerabilities Detected** - _core/lms/classes/user_menu.php [All Lines] **Old Code:** ```php 'menu_icon' => 'fa-tachometer-alt', 'menu_icon' => 'fa-plus', 'menu_icon' => 'fa-book', 'menu_icon' => 'fa-cog', 'menu_icon' => 'fa-envelope', 'menu_icon' => 'fa-star', 'menu_icon' => 'fa-question', 'menu_icon' => 'fa-shopping-basket', 'menu_icon' => 'fa-address-card', ``` **Fixed Code:** ```php 'menu_icon' => 'stmlms-tachometer-alt', 'menu_icon' => 'stmlms-plus-2', 'menu_icon' => 'stmlms-book-2', 'menu_icon' => 'stmlms-cog-2', 'menu_icon' => 'stmlms-envelope-2', 'menu_icon' => 'stmlms-star-3', 'menu_icon' => 'stmlms-question-2', 'menu_icon' => 'stmlms-shopping-basket', 'menu_icon' => 'stmlms-address-card', ``` **Explanation:** This diff contains only icon class name replacements, changing from Font Awesome (`fa-*`) icon classes to custom MasterStudy LMS icon classes (`stmlms-*`). These are static string assignments to configuration array keys with no user input, dynamic data, or security-sensitive operations involved. The changes are purely presentational and do not introduce, fix, or relate to any security vulnerabilities.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/lms/enqueue.php 2026-01-08 00:35:20.050794318 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/lms/enqueue.php 2026-01-08 00:38:00.684524303 +0000@@ -35,11 +35,11 @@ $base = STM_LMS_URL . 'libraries/nuxy/metaboxes/assets/'; // Rewrite STM_WPCFTO_URL wp_register_style( 'masterstudy-fonts', $assets . '/css/variables/fonts.css', null, MS_LMS_VERSION );- wp_enqueue_style( 'font-awesome-min', $assets . '/vendors/font-awesome.min.css', null, MS_LMS_VERSION, 'all' ); wp_enqueue_style( 'stm_lms_icons', $assets . '/icons/style.css', null, MS_LMS_VERSION ); wp_enqueue_style( 'video.js', $assets . '/vendors/video-js.min.css', null, MS_LMS_VERSION, 'all' ); wp_register_style( 'owl.carousel', $assets . '/vendors/owl.carousel.min.css', null, MS_LMS_VERSION, 'all' ); wp_register_style( 'masterstudy_lazysizes', $assets . '/css/lazysizes.css', null, MS_LMS_VERSION );+ STM_LMS_Helpers::enqueue_font_awesome_icons(); wp_enqueue_script( 'jquery' ); @@ -275,7 +275,6 @@ wp_register_style( 'ms_lms_courses_searchbox', STM_LMS_URL . 'assets/css/elementor-widgets/course-search-box/course-search-box.css', array(), STM_LMS_VERSION, false ); wp_register_style( 'profile-auth-links-style', STM_LMS_URL . 'assets/css/elementor-widgets/auth-links.css', array(), STM_LMS_VERSION, false ); wp_register_style( 'stm_lms_icons', STM_LMS_URL . 'assets/icons/style.css', null, STM_LMS_VERSION );- wp_register_style( 'font-awesome-min', STM_LMS_URL . 'assets/vendors/font-awesome.min.css', null, STM_LMS_VERSION, 'all' ); wp_register_style( 'linear', STM_LMS_URL . 'libraries/nuxy/taxonomy_meta/assets/linearicons/linear.css', null, STM_LMS_VERSION, 'all' ); wp_register_style( 'premium-templates', STM_LMS_URL . 'assets/css/parts/premium-templates/premium-templates.css', array(), MS_LMS_VERSION, 'all' ); wp_register_style( 'masterstudy-course-templates', STM_LMS_URL . 'assets/css/components/course-templates.css', array(), MS_LMS_VERSION );
I'll analyze this code diff for security vulnerabilities. --- **Vulnerability Existed: no** **Code Refactoring / Style Management Change - No CWE Applied - _core/lms/enqueue.php - Lines 38, 278** **Old Code:** ```php wp_enqueue_style( 'font-awesome-min', $assets . '/vendors/font-awesome.min.css', null, MS_LMS_VERSION, 'all' ); ``` and ```php wp_register_style( 'font-awesome-min', STM_LMS_URL . 'assets/vendors/font-awesome.min.css', null, STM_LMS_VERSION, 'all' ); ``` **Fixed Code:** ```php STM_LMS_Helpers::enqueue_font_awesome_icons(); ``` **Explanation:** This diff removes direct calls to `wp_enqueue_style()` and `wp_register_style()` for Font Awesome CSS and replaces them with a centralized helper method `STM_LMS_Helpers::enqueue_font_awesome_icons()`. This is **not a security vulnerability fix**, but rather a refactoring improvement: - The change consolidates Font Awesome asset loading into a single helper method - This provides a centralized point for managing Font Awesome dependencies across the codebase - It reduces code duplication and improves maintainability - No security issue exists in either the old or new code—both approaches safely enqueue stylesheets using WordPress's native functions The refactoring follows good software engineering practices by centralizing asset management, but does not address any security vulnerability.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/lms/helpers.php 2026-01-08 00:35:20.050794318 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/lms/helpers.php 2026-01-08 00:38:00.692524790 +0000@@ -714,14 +714,6 @@ */ function stm_lms_available_addons() { $available_addons = array(- 'udemy' => array(- 'name' => esc_html__( 'Udemy Importer', 'masterstudy-lms-learning-management-system' ),- 'url' => esc_url( STM_LMS_URL . 'assets/addons/udemy.png' ),- 'settings' => admin_url( 'admin.php?page=stm-lms-udemy-settings' ),- 'description' => esc_html__( 'Import courses from Udemy and display them on your website. Use ready-made courses on your platform and earn commissions.', 'masterstudy-lms-learning-management-system' ),- 'pro_url' => 'https://stylemixthemes.com/wordpress-lms-plugin/pricing/?utm_source=wpadmin&utm_medium=ms-udemy&utm_campaign=masterstudy-plugin&licenses=1&billing_cycle=annual',- 'documentation' => 'udemy-course-importer',- ), 'prerequisite' => array( 'name' => esc_html__( 'Prerequisites', 'masterstudy-lms-learning-management-system' ), 'url' => esc_url( STM_LMS_URL . 'assets/addons/msp.png' ),
Vulnerability Existed: no No Security Vulnerability Detected - Code Removal File: _core/lms/helpers.php [Lines 717-725] Old Code: ```php 'udemy' => array( 'name' => esc_html__( 'Udemy Importer', 'masterstudy-lms-learning-management-system' ), 'url' => esc_url( STM_LMS_URL . 'assets/addons/udemy.png' ), 'settings' => admin_url( 'admin.php?page=stm-lms-udemy-settings' ), 'description' => esc_html__( 'Import courses from Udemy and display them on your website. Use ready-made courses on your platform and earn commissions.', 'masterstudy-lms-learning-management-system' ), 'pro_url' => 'https://stylemixthemes.com/wordpress-lms-plugin/pricing/?utm_source=wpadmin&utm_medium=ms-udemy&utm_campaign=masterstudy-plugin&licenses=1&billing_cycle=annual', 'documentation' => 'udemy-course-importer', ), ``` Fixed Code: ```php (removed) ``` Explanation: This diff shows the removal of the Udemy addon configuration from the available addons array. This is not a security fix—it's a feature removal or deprecation. The removed code contained properly escaped output functions (esc_html__, esc_url, admin_url) which were already following WordPress security best practices. No vulnerability existed in the removed code, and this change does not address any security issue. The modification appears to be a product/feature decision rather than a security remediation.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/lms/views/addons/main.php 2026-01-08 00:35:20.054794559 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/lms/views/addons/main.php 2026-01-08 00:38:00.696525032 +0000@@ -55,7 +55,7 @@ </li> </ul> <a href="<?php echo esc_url( admin_url( 'admin.php?page=stm-lms-go-pro&source=get-now-button-addons-banner' ) ); ?>" class="stm-lms-addon-banner__button" target="_blank">- <i class="fas fa-arrow-right"></i>+ <i class="stmlms-arrow-right-2"></i> <?php echo esc_html__( 'Get Now', 'masterstudy-lms-learning-management-system' ); ?> </a> </div>
I'll analyze this code diff for security vulnerabilities. **Vulnerability Existed: No** **No Security Vulnerability Found - File: _core/lms/views/addons/main.php [Line 58]** Old Code: ```php <i class="fas fa-arrow-right"></i> ``` Fixed Code: ```php <i class="stmlms-arrow-right-2"></i> ``` Explanation: This diff shows a change from using Font Awesome icon class (`fas fa-arrow-right`) to a custom icon class (`stmlms-arrow-right-2`). This is a purely cosmetic/UI change with no security implications. Both the old and new code are safe: - No user input is being processed - No data is being stored or transmitted - No authentication or authorization logic is involved - The change does not introduce any code injection vectors, XSS vulnerabilities, or other security issues - HTML output is properly escaped with `esc_url()` on the href attribute and `esc_html__()` on the text content This appears to be a dependency update or icon library replacement, which is a standard maintenance task with no security relevance.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/demo_import/tpls/field.php 2026-01-08 00:35:20.078796008 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/demo_import/tpls/field.php 2026-01-08 00:38:00.784530378 +0000@@ -3,31 +3,31 @@ <div v-bind:class="doneSteps + ' import_steps'" v-if="importStarted"> <div class="step step-questions"> <div class="step-wrap">- <span class="bullet"><i class="fa fa-check"></i></span>+ <span class="bullet"><i class="stmlms-check-3"></i></span> <span class="step-name"><?php esc_html_e( 'Questions', 'masterstudy-lms-learning-management-system' ); ?></span> </div> </div> <div class="step step-quizzes"> <div class="step-wrap">- <span class="bullet"><i class="fa fa-check"></i></span>+ <span class="bullet"><i class="stmlms-check-3"></i></span> <span class="step-name"><?php esc_html_e( 'Quizzes', 'masterstudy-lms-learning-management-system' ); ?></span> </div> </div> <div class="step step-lessons"> <div class="step-wrap">- <span class="bullet"><i class="fa fa-check"></i></span>+ <span class="bullet"><i class="stmlms-check-3"></i></span> <span class="step-name"><?php esc_html_e( 'Lessons', 'masterstudy-lms-learning-management-system' ); ?></span> </div> </div> <div class="step step-courses"> <div class="step-wrap">- <span class="bullet"><i class="fa fa-check"></i></span>+ <span class="bullet"><i class="stmlms-check-3"></i></span> <span class="step-name"><?php esc_html_e( 'Courses', 'masterstudy-lms-learning-management-system' ); ?></span> </div> </div> <div class="step step-complete"> <div class="step-wrap">- <span class="bullet"><i class="fa fa-check"></i></span>+ <span class="bullet"><i class="stmlms-check-3"></i></span> <span class="step-name"><?php esc_html_e( 'Complete', 'masterstudy-lms-learning-management-system' ); ?></span> </div> </div>@@ -35,7 +35,7 @@ <p v-if="!importStarted"> <?php esc_html_e( 'Click this to add example courses, quizzes, and lessons to your site', 'masterstudy-lms-learning-management-system' ); ?></p> <button v-if="!importStarted" @click.prevent="importData()" class="button">- <i class="fa fa-cloud-download-alt"></i>+ <i class="stmlms-cloud-download-alt"></i> <?php esc_html_e( 'Start import', 'masterstudy-lms-learning-management-system' ); ?> </button> </div>
Vulnerability Existed: no No CWE - No Security Issue - _core/settings/demo_import/tpls/field.php (Lines 6, 12, 18, 24, 30, 38) Old Code: ``` <i class="fa fa-check"></i> <i class="fa fa-cloud-download-alt"></i> ``` Fixed Code: ``` <i class="stmlms-check-3"></i> <i class="stmlms-cloud-download-alt"></i> ``` Explanation: This diff represents a change from Font Awesome icon classes (fa fa-*) to custom icon classes (stmlms-*). This is a UI/styling update, not a security fix. The change migrates from an external icon library dependency to internal custom icons. No security vulnerabilities are present in either version - the old code does not expose a vulnerability, and the new code does not fix one. Both versions properly use class attributes for styling without any code injection, XSS, or other security issues. This is purely a cosmetic/dependency management change.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/lms_wpcfto_helpers.php 2026-01-08 00:35:20.090796733 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/lms_wpcfto_helpers.php 2026-01-08 00:38:00.812532080 +0000@@ -173,7 +173,7 @@ <div class="field_overlay"></div> <span class="pro-notice"> <a href="#" @click.prevent="enableAddon($event, '<?php echo esc_attr( $addon_state ); ?>')">- <i class="fa fa-power-off"></i>+ <i class="stmlms-power-off"></i> <?php esc_html_e( 'Enable addon', 'masterstudy-lms-learning-management-system' ); ?> </a> </span>
```
Vulnerability Existed: no
No Security Vulnerability - Icon Class Name Change
File: _core/settings/lms_wpcfto_helpers.php [176]
Old Code:
<i class="fa fa-power-off"></i>
Fixed Code:
<i class="stmlms-power-off"></i>
Explanation:
This change replaces a Font Awesome icon class ("fa fa-power-off") with a custom icon class ("stmlms-power-off"). This is a purely cosmetic/UI change with no security implications. The modification does not involve:
- Output encoding/escaping changes
- Input validation or sanitization
- Access control or authentication
- Data handling or storage
- External resource loading
- Script execution context
This is simply a CSS class name update for visual presentation purposes.
```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/ai_lab.php 2026-01-08 00:35:20.090796733 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/ai_lab.php 2026-01-08 00:38:00.812532080 +0000@@ -9,7 +9,7 @@ $ai_settings_fields = array( 'name' => esc_html__( 'AI Lab', 'masterstudy-lms-learning-management-system' ), 'label' => esc_html__( 'AI Lab Settings', 'masterstudy-lms-learning-management-system' ),- 'icon' => 'fas fa-wand-magic-sparkles',+ 'icon' => 'stmlms-wand-magic-sparkles', 'fields' => array( 'openai_api_key' => array( 'type' => 'text',@@ -96,7 +96,7 @@ $ai_settings_fields = array( 'name' => esc_html__( 'AI Lab', 'masterstudy-lms-learning-management-system' ), 'label' => esc_html__( 'AI Lab Settings', 'masterstudy-lms-learning-management-system' ),- 'icon' => 'fas fa-wand-magic-sparkles',+ 'icon' => 'stmlms-wand-magic-sparkles', 'fields' => array( 'pro_banner_ai_lab' => array( 'type' => 'pro_banner',
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no No Security Vulnerabilities Detected - [File] _core/settings/main_settings/ai_lab.php [Lines 12, 99] Old Code: ``` 'icon' => 'fas fa-wand-magic-sparkles', ``` Fixed Code: ``` 'icon' => 'stmlms-wand-magic-sparkles', ``` Explanation: This change replaces a Font Awesome icon class reference (`fas fa-wand-magic-sparkles`) with a custom icon class (`stmlms-wand-magic-sparkles`). This is a non-security-related modification - it's a UI/styling update to use a proprietary icon class instead of an external Font Awesome library class. The change does not introduce, fix, or involve any security vulnerabilities. Both versions are simple string assignments with no user input, code execution, or sensitive operations involved. The modification appears to be part of branding or design changes in the application.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/analytics.php 2026-01-08 00:35:20.090796733 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/analytics.php 2026-01-08 00:38:00.812532080 +0000@@ -4,7 +4,7 @@ $main_fields = array( 'name' => esc_html__( 'Reports & Analytics', 'masterstudy-lms-learning-management-system' ), 'label' => esc_html__( 'Reports & Analytics', 'masterstudy-lms-learning-management-system' ),- 'icon' => 'fas fa-chart-pie',+ 'icon' => 'stmlms-chart-pie', 'fields' => array( 'pro_banner' => array( 'type' => 'pro_banner',
Vulnerability Existed: no
No CWE - File: _core/settings/main_settings/analytics.php [Line 7]
Old Code:
'icon' => 'fas fa-chart-pie',
Fixed Code:
'icon' => 'stmlms-chart-pie',
Explanation:
This change replaces a Font Awesome icon class reference ('fas fa-chart-pie') with a custom icon class ('stmlms-chart-pie'). This is not a security fix but rather a cosmetic/dependency change. The old code used Font Awesome's class naming convention, while the new code uses a custom icon class specific to the MasterStudy LMS theme. There are no security vulnerabilities in either version - both are simple string assignments used for CSS class application and do not involve any code execution, data handling, or security-sensitive operations.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/certificates.php 2026-01-08 00:35:20.090796733 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/certificates.php 2026-01-08 00:38:00.816532323 +0000@@ -4,7 +4,7 @@ $certificate_settings_fields = array( 'name' => esc_html__( 'Certificates', 'masterstudy-lms-learning-management-system' ), 'label' => esc_html__( 'Certificates Settings', 'masterstudy-lms-learning-management-system' ),- 'icon' => 'fas fa-certificate',+ 'icon' => 'stmlms-certificate', 'fields' => array( 'certificate_threshold' => array( 'type' => 'number',@@ -54,7 +54,7 @@ $certificate_settings_fields = array( 'name' => esc_html__( 'Certificates', 'masterstudy-lms-learning-management-system' ), 'label' => esc_html__( 'Certificates Settings', 'masterstudy-lms-learning-management-system' ),- 'icon' => 'fas fa-certificate',+ 'icon' => 'stmlms-certificate', 'fields' => array( 'pro_banner' => array( 'type' => 'pro_banner',
# Security Analysis Report Based on my analysis of the provided code diff, here is my assessment: --- **Vulnerability Existed:** no **No vulnerabilities identified** - _core/settings/main_settings/certificates.php [Lines 7, 57] **Old Code:** ```php 'icon' => 'fas fa-certificate', ``` **Fixed Code:** ```php 'icon' => 'stmlms-certificate', ``` **Explanation:** This change replaces a Font Awesome icon class reference (`fas fa-certificate`) with a custom icon class (`stmlms-certificate`). This is a non-security related change that appears to be updating the icon library or theme used by the application. There is no indication of: - Input validation/sanitization bypass - Output encoding removal - Authentication/authorization changes - Cryptographic weaknesses - Injection vulnerabilities - Sensitive data exposure - Access control modifications The `esc_html__()` function remains in place for proper escaping of translatable strings. This is a cosmetic/UI update, not a security fix or vulnerability introduction.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/course-player.php 2026-01-08 00:35:20.090796733 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/course-player.php 2026-01-08 00:38:00.816532323 +0000@@ -3,7 +3,7 @@ $course_player_settings = array( 'name' => esc_html__( 'Course Player', 'masterstudy-lms-learning-management-system' ), 'label' => esc_html__( 'Course Player Settings', 'masterstudy-lms-learning-management-system' ),- 'icon' => 'fas fa-chalkboard-teacher',+ 'icon' => 'stmlms-chalkboard-teacher', ); $course_player_primary_fields = array(
Vulnerability Existed: no No Security Vulnerability Detected - Icon Class String Change Old Code: ```php 'icon' => 'fas fa-chalkboard-teacher', ``` Fixed Code: ```php 'icon' => 'stmlms-chalkboard-teacher', ``` Explanation: This change replaces a Font Awesome icon class (`fas fa-chalkboard-teacher`) with a custom icon class (`stmlms-chalkboard-teacher`). This is a purely cosmetic/UI change that updates the icon reference used in the settings interface. There are no security implications—it does not involve data handling, authentication, authorization, input validation, or any potential attack vectors. The change is safe and poses no security risk.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/course.php 2026-01-08 00:35:20.090796733 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/course.php 2026-01-08 00:38:00.816532323 +0000@@ -473,7 +473,7 @@ $course_settings_fields = array( 'name' => esc_html__( 'Course', 'masterstudy-lms-learning-management-system' ), 'label' => esc_html__( 'Course Settings', 'masterstudy-lms-learning-management-system' ),- 'icon' => 'fas fa-book',+ 'icon' => 'stmlms-book-2', 'fields' => $course_summary_fields, );
Vulnerability Existed: no No CWE Vulnerability Identified - N/A - _core/settings/main_settings/course.php Lines 476 Old Code: ```php 'icon' => 'fas fa-book', ``` Fixed Code: ```php 'icon' => 'stmlms-book-2', ``` Explanation: This change updates an icon class reference from 'fas fa-book' (Font Awesome icon) to 'stmlms-book-2' (a custom icon class). This is a non-security configuration change that does not introduce, fix, or relate to any security vulnerabilities. It is purely a cosmetic/UI update to change which icon is displayed for the Course Settings section. No CWE vulnerability is present in either version of this code.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/courses.php 2026-01-08 00:35:20.090796733 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/courses.php 2026-01-08 00:38:00.816532323 +0000@@ -9,7 +9,7 @@ $courses_settings_fields = array( 'name' => esc_html__( 'Courses', 'masterstudy-lms-learning-management-system' ), 'label' => esc_html__( 'Courses Settings', 'masterstudy-lms-learning-management-system' ),- 'icon' => 'fas fa-book',+ 'icon' => 'stmlms-book-2', 'fields' => array( 'demo_import' => array( 'type' => 'demo_import',
Vulnerability Existed: no No Vulnerability Detected - [File] _core/settings/main_settings/courses.php [Line 12] Old Code: ```php 'icon' => 'fas fa-book', ``` Fixed Code: ```php 'icon' => 'stmlms-book-2', ``` Explanation: This change replaces a Font Awesome icon class reference (`fas fa-book`) with what appears to be a custom icon class (`stmlms-book-2`). This is a benign cosmetic/UI change with no security implications. The old code used an external icon library class name, while the new code uses an internal custom icon class name. This does not introduce, fix, or relate to any security vulnerability. There is no input validation issue, injection risk, authentication/authorization problem, or any other security concern associated with this string replacement in an icon configuration value.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/ecommerce.php 2026-01-08 00:35:20.094796974 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/ecommerce.php 2026-01-08 00:38:00.820532566 +0000@@ -431,7 +431,7 @@ 'description' => esc_html__( 'This button directs you to the membership management tab, where you can create, edit, and organize different membership plans.', 'masterstudy-lms-learning-management-system' ), 'submenu' => $submenu_subscriptions, ),- 'subscriptions_notice' => array(+ 'subscriptions_notice' => array( 'type' => 'notice_banner', 'label' => esc_html__( 'The feature is not available when WooCommerce checkout is enabled', 'masterstudy-lms-learning-management-system' ), 'dependency' => array(@@ -443,7 +443,7 @@ ); } elseif ( is_ms_lms_addon_enabled( 'subscriptions' ) && STM_LMS_Subscriptions::subscription_enabled() ) { $subscription_fields = array(- 'subscriptions_notice' => array(+ 'subscriptions_notice' => array( 'type' => 'notification_message', 'description' => sprintf( '<h1>%s</h1><p>%s</p>',@@ -461,7 +461,7 @@ ); } elseif ( is_ms_lms_addon_enabled( 'subscriptions' ) && $woo_checkout ) { $subscription_fields = array(- 'subscriptions_notice' => array(+ 'subscriptions_notice' => array( 'type' => 'notification_message', 'description' => sprintf( '<h1>%s</h1><p>%s</p>',@@ -603,7 +603,7 @@ return array( 'name' => esc_html__( 'Ecommerce', 'masterstudy-lms-learning-management-system' ), 'label' => esc_html__( 'Ecommerce', 'masterstudy-lms-learning-management-system' ),- 'icon' => 'fas fa-money-check-alt',+ 'icon' => 'stmlms-money-check-alt', 'fields' => $currency_fields, ); }
``` Vulnerability Existed: no [No Security Vulnerability Identified] Lines: 434, 446, 464, 606 Old Code (Line 434): 'subscriptions_notice' => array( Fixed Code (Line 434): 'subscriptions_notice' => array( Old Code (Line 606): 'icon' => 'fas fa-money-check-alt', Fixed Code (Line 606): 'icon' => 'stmlms-money-check-alt', Explanation: This diff contains only formatting and icon class changes: 1. **Whitespace alignment changes (Lines 434, 446, 464)**: These are purely cosmetic adjustments to array key alignment. No security implications. 2. **Icon class change (Line 606)**: The change from `'fas fa-money-check-alt'` (Font Awesome) to `'stmlms-money-check-alt'` (custom icon class) is a UI/styling modification. This does not introduce or fix any security vulnerabilities. It's simply switching to a different icon library/class without any security-relevant code logic changes. No vulnerabilities exist in this diff. The changes are non-functional formatting improvements and asset reference updates. ```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/gdpr.php 2026-01-08 00:35:20.094796974 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/gdpr.php 2026-01-08 00:38:00.824532809 +0000@@ -7,7 +7,7 @@ return array( 'name' => esc_html__( 'Privacy Policy', 'masterstudy-lms-learning-management-system' ), 'label' => esc_html__( 'Privacy Policy Settings', 'masterstudy-lms-learning-management-system' ),- 'icon' => 'fas fa-shield-alt',+ 'icon' => 'stmlms-shield-alt', 'fields' => array( 'gdpr_warning' => array( 'type' => 'text',
Vulnerability Existed: no
No CWE-relevant vulnerability identified - [File] _core/settings/main_settings/gdpr.php [Line 10]
[Old Code]
'icon' => 'fas fa-shield-alt',
[Fixed Code]
'icon' => 'stmlms-shield-alt',
Explanation:
This change replaces a Font Awesome icon class reference ('fas fa-shield-alt') with a custom icon class ('stmlms-shield-alt'). This is a cosmetic/branding change with no security implications. The modification does not introduce, remove, or address any security vulnerabilities. There is no exposure to injection attacks, privilege escalation, data leakage, or other security issues. This appears to be part of routine maintenance or theming updates to use the application's own icon set instead of a third-party library.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/general.php 2026-01-08 00:35:20.094796974 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/general.php 2026-01-08 00:38:00.824532809 +0000@@ -3,7 +3,7 @@ return array( 'name' => esc_html__( 'General', 'masterstudy-lms-learning-management-system' ), 'label' => esc_html__( 'General Settings', 'masterstudy-lms-learning-management-system' ),- 'icon' => 'fas fa-sliders-h',+ 'icon' => 'stmlms-sliders-h', 'fields' => array( /*GROUP STARTED*/ 'main_color' => array(
Vulnerability Existed: no
No Security Vulnerability - [File] _core/settings/main_settings/general.php [Lines 6]
Old Code:
```
'icon' => 'fas fa-sliders-h',
```
Fixed Code:
```
'icon' => 'stmlms-sliders-h',
```
Explanation:
This change replaces a Font Awesome icon class reference ('fas fa-sliders-h') with a custom icon class ('stmlms-sliders-h'). This is a UI/styling change with no security implications. The modification does not introduce, fix, or relate to any security vulnerabilities. It appears to be a non-security update to use a custom icon set instead of an external Font Awesome dependency.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/google_api.php 2026-01-08 00:35:20.094796974 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/google_api.php 2026-01-08 00:38:00.828533052 +0000@@ -4,7 +4,7 @@ return array( 'name' => esc_html__( 'Recaptcha', 'masterstudy-lms-learning-management-system' ), 'label' => esc_html__( 'Recaptcha', 'masterstudy-lms-learning-management-system' ),- 'icon' => 'fab fa-google',+ 'icon' => 'stmlms-google', 'fields' => array( 'recaptcha_site_key' => array( 'type' => 'text',
Vulnerability Existed: no No CWE/Security Vulnerability Old Code: ```php 'icon' => 'fab fa-google', ``` Fixed Code: ```php 'icon' => 'stmlms-google', ``` Explanation: This change is not a security fix. It is a UI/styling update that changes the icon class from a Font Awesome icon (`fab fa-google`) to a custom icon class (`stmlms-google`). This is a cosmetic change with no security implications. There are no vulnerabilities being fixed or introduced in this diff. The change does not affect authentication, authorization, data handling, input validation, or any other security-relevant functionality.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/payments.php 2026-01-08 00:35:20.098797216 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/payments.php 2026-01-08 00:38:00.828533052 +0000@@ -1,16 +1,15 @@ <?php -function stm_lms_settings_payments_section()-{- return array(- 'name' => esc_html__('Payment Methods', 'masterstudy-lms-learning-management-system'),- 'label' => esc_html__('Payment Methods Settings', 'masterstudy-lms-learning-management-system'),- 'icon' => 'fas fa-money-check-alt',- 'fields' => array(- 'payment_methods' => array(- 'type' => 'payments',- 'label' => esc_html__('Payment Methods', 'masterstudy-lms-learning-management-system'),- ),- )- );+function stm_lms_settings_payments_section() {+ return array(+ 'name' => esc_html__( 'Payment Methods', 'masterstudy-lms-learning-management-system' ),+ 'label' => esc_html__( 'Payment Methods Settings', 'masterstudy-lms-learning-management-system' ),+ 'icon' => 'stmlms-money-check-alt',+ 'fields' => array(+ 'payment_methods' => array(+ 'type' => 'payments',+ 'label' => esc_html__( 'Payment Methods', 'masterstudy-lms-learning-management-system' ),+ ),+ ),+ ); }
Vulnerability Existed: no
No vulnerabilities detected - CWE NA - _core/settings/main_settings/payments.php - Lines 1-16
Old Code:
```php
function stm_lms_settings_payments_section()
{
return array(
'name' => esc_html__('Payment Methods', 'masterstudy-lms-learning-management-system'),
'label' => esc_html__('Payment Methods Settings', 'masterstudy-lms-learning-management-system'),
'icon' => 'fas fa-money-check-alt',
'fields' => array(
'payment_methods' => array(
'type' => 'payments',
'label' => esc_html__('Payment Methods', 'masterstudy-lms-learning-management-system'),
),
)
);
}
```
Fixed Code:
```php
function stm_lms_settings_payments_section() {
return array(
'name' => esc_html__( 'Payment Methods', 'masterstudy-lms-learning-management-system' ),
'label' => esc_html__( 'Payment Methods Settings', 'masterstudy-lms-learning-management-system' ),
'icon' => 'stmlms-money-check-alt',
'fields' => array(
'payment_methods' => array(
'type' => 'payments',
'label' => esc_html__( 'Payment Methods', 'masterstudy-lms-learning-management-system' ),
),
),
);
}
```
Explanation:
This diff represents code formatting and style changes only, with no security fixes or vulnerabilities addressed:
- Indentation standardized (tabs instead of mixed spacing)
- Alignment of array keys added for readability
- Icon class name changed from `'fas fa-money-check-alt'` to `'stmlms-money-check-alt'` (cosmetic/branding change, not a security fix)
- Spacing around function parentheses and esc_html__() calls normalized
- No input validation, sanitization, or escaping logic was modified
- All security-relevant WordPress escaping functions (esc_html__) remain unchanged
This appears to be a code style/formatting update with a minor UI asset reference change, not a security patch.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/payout.php 2026-01-08 00:35:20.098797216 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/payout.php 2026-01-08 00:38:00.832533295 +0000@@ -4,7 +4,7 @@ $payouts = array( 'name' => esc_html__( 'Payout', 'masterstudy-lms-learning-management-system' ), 'label' => esc_html__( 'Payout Settings', 'masterstudy-lms-learning-management-system' ),- 'icon' => 'fas fa-hand-holding-usd',+ 'icon' => 'stmlms-hand-holding-usd', 'fields' => array( 'pro_banner' => array( 'type' => 'pro_banner',
```
Vulnerability Existed: no
No Vulnerability Identified - File: _core/settings/main_settings/payout.php [Line 7]
Old Code:
'icon' => 'fas fa-hand-holding-usd',
Fixed Code:
'icon' => 'stmlms-hand-holding-usd',
Explanation:
This change replaces a Font Awesome icon class reference ('fas fa-hand-holding-usd') with a custom icon class ('stmlms-hand-holding-usd'). This is a non-security-related change that updates the icon used in the UI. There is no security vulnerability in either the old or new code. The modification appears to be a dependency management or theming decision to use a custom icon set instead of Font Awesome, which does not introduce or fix any security issues.
```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/profiles.php 2026-01-08 00:35:20.102797457 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/profiles.php 2026-01-08 00:38:00.836533537 +0000@@ -495,7 +495,7 @@ return array( 'name' => esc_html__( 'Profiles', 'masterstudy-lms-learning-management-system' ), 'label' => esc_html__( 'Profiles Settings', 'masterstudy-lms-learning-management-system' ),- 'icon' => 'fa fa-user-circle',+ 'icon' => 'stmlms-user-circle', 'fields' => array_merge( $general_fields, stm_lms_settings_sorting_the_menu_section() ), ); }
```
Vulnerability Existed: no
No Security Vulnerability - [File] _core/settings/main_settings/profiles.php [Line 498]
Old Code:
'icon' => 'fa fa-user-circle',
Fixed Code:
'icon' => 'stmlms-user-circle',
Explanation:
This change replaces a Font Awesome icon class reference ('fa fa-user-circle') with a custom icon class ('stmlms-user-circle'). This is a UI/styling update, not a security fix. The change does not address any security vulnerability. Font Awesome class names are static strings used for icon rendering and do not present a security risk in this context. This appears to be a dependency removal or icon library migration (likely removing reliance on Font Awesome in favor of custom SVG or icon font), which is a maintenance update rather than a security fix.
```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/quiz.php 2026-01-08 00:35:20.102797457 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/quiz.php 2026-01-08 00:38:00.840533781 +0000@@ -32,7 +32,7 @@ $quiz_fields = array( 'name' => esc_html__( 'Quiz', 'masterstudy-lms-learning-management-system' ), 'label' => esc_html__( 'Quiz Settings', 'masterstudy-lms-learning-management-system' ),- 'icon' => 'fas fa-question',+ 'icon' => 'stmlms-question-2', 'fields' => array( 'quiz_attempts' => array( 'type' => 'select',
I'll analyze this code diff for security vulnerabilities.
```
Vulnerability Existed: no
No vulnerabilities identified - File: _core/settings/main_settings/quiz.php [Line 35]
Old Code:
'icon' => 'fas fa-question',
Fixed Code:
'icon' => 'stmlms-question-2',
Explanation:
This change replaces a Font Awesome icon class reference ('fas fa-question') with a custom icon class ('stmlms-question-2'). This is a non-security-related change - it's a UI/styling update that modifies which icon is displayed in the quiz settings panel. There are no security vulnerabilities in either the old or new code. The change does not involve user input handling, authentication, authorization, data validation, or any other security-sensitive operations. Both versions are static string assignments used for CSS class naming purposes.
```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/routes.php 2026-01-08 00:35:20.102797457 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/routes.php 2026-01-08 00:38:00.840533781 +0000@@ -14,7 +14,7 @@ } $data = array(- 'icon' => 'fas fa-link',+ 'icon' => 'stmlms-link-2', 'name' => esc_html__( 'LMS Pages', 'masterstudy-lms-learning-management-system' ), 'fields' => array(
Vulnerability Existed: no No Security Vulnerability - Icon Class Change - _core/settings/main_settings/routes.php Line 17 Old Code: ``` 'icon' => 'fas fa-link', ``` Fixed Code: ``` 'icon' => 'stmlms-link-2', ``` Explanation: This change is a simple icon class replacement from Font Awesome (`fas fa-link`) to a custom icon class (`stmlms-link-2`). This is a cosmetic UI modification with no security implications. Icon class strings are used for display purposes and do not introduce vulnerabilities such as XSS, injection, privilege escalation, or any other security risks. The change does not affect input validation, data handling, authentication, authorization, or any security-sensitive operations.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/shortcodes.php 2026-01-08 00:35:20.102797457 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/shortcodes.php 2026-01-08 00:38:00.840533781 +0000@@ -1,15 +1,14 @@ <?php -function stm_lms_settings_shortcodes_section()-{- return array(- 'name' => esc_html__('Shortcodes', 'masterstudy-lms-learning-management-system'),- 'label' => esc_html__('Shortcodes Settings', 'masterstudy-lms-learning-management-system'),- 'icon' => 'fas fa-file-code',- 'fields' => array(- 'stm_lms_shortcodes' => array(- 'type' => 'stm_lms_shortcodes',- ),- )- );+function stm_lms_settings_shortcodes_section() {+ return array(+ 'name' => esc_html__( 'Shortcodes', 'masterstudy-lms-learning-management-system' ),+ 'label' => esc_html__( 'Shortcodes Settings', 'masterstudy-lms-learning-management-system' ),+ 'icon' => 'stmlms-file-code',+ 'fields' => array(+ 'stm_lms_shortcodes' => array(+ 'type' => 'stm_lms_shortcodes',+ ),+ ),+ ); }
Vulnerability Existed: no
No CWE Vulnerability - N/A - _core/settings/main_settings/shortcodes.php (all lines)
Old Code:
```php
function stm_lms_settings_shortcodes_section()
{
return array(
'name' => esc_html__('Shortcodes', 'masterstudy-lms-learning-management-system'),
'label' => esc_html__('Shortcodes Settings', 'masterstudy-lms-learning-management-system'),
'icon' => 'fas fa-file-code',
'fields' => array(
'stm_lms_shortcodes' => array(
'type' => 'stm_lms_shortcodes',
),
)
);
}
```
Fixed Code:
```php
function stm_lms_settings_shortcodes_section() {
return array(
'name' => esc_html__( 'Shortcodes', 'masterstudy-lms-learning-management-system' ),
'label' => esc_html__( 'Shortcodes Settings', 'masterstudy-lms-learning-management-system' ),
'icon' => 'stmlms-file-code',
'fields' => array(
'stm_lms_shortcodes' => array(
'type' => 'stm_lms_shortcodes',
),
),
);
}
```
Explanation:
This diff contains only code formatting and style changes. The modifications include: reformatting whitespace/indentation (switching to tabs), adjusting spacing in function calls, and updating the icon class name from 'fas fa-file-code' to 'stmlms-file-code'. The `esc_html__()` function calls remain in place for proper text escaping. No security vulnerabilities are introduced or removed by these changes. The update is purely stylistic and does not affect the security posture of the code.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/main_settings/sortable_menu.php 2026-01-08 00:35:20.102797457 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/main_settings/sortable_menu.php 2026-01-08 00:38:00.844534024 +0000@@ -40,8 +40,8 @@ 'options' => array(), ), ),- 'description' => '<ul><li><i class="fa fa-lock"></i><p>' . esc_html__( 'There are restrictions for dragging and/or disabling the option', 'masterstudy-lms-learning-management-system' ) . '</p><li>- <li><i class="fa fa-exclamation-triangle"></i><p>' . esc_html__( 'The option is important and is not recommended to be disabled', 'masterstudy-lms-learning-management-system' ) . '</p><li>',+ 'description' => '<ul><li><i class="stmlms-lock-2"></i><p>' . esc_html__( 'There are restrictions for dragging and/or disabling the option', 'masterstudy-lms-learning-management-system' ) . '</p><li>+ <li><i class="stmlms-exclamation-triangle"></i><p>' . esc_html__( 'The option is important and is not recommended to be disabled', 'masterstudy-lms-learning-management-system' ) . '</p><li>', ), 'sorting_the_menu_student' => array( 'type' => 'sorter',@@ -59,7 +59,7 @@ 'options' => array(), ), ),- 'description' => '<ul><li><i class="fa fa-exclamation-triangle"></i><p>' . esc_html__( 'The option is important and is not recommended to be disabled.', 'masterstudy-lms-learning-management-system' ) . '</p><li>',+ 'description' => '<ul><li><i class="stmlms-exclamation-triangle"></i><p>' . esc_html__( 'The option is important and is not recommended to be disabled.', 'masterstudy-lms-learning-management-system' ) . '</p><li>', ), 'sorting_float_menu_main' => array( 'type' => 'sorter',@@ -78,8 +78,8 @@ ), ), 'preview' => STM_LMS_URL . 'assets/img/sorting_the_menu/main.png',- 'description' => '<ul><li><i class="fa fa-lock"></i><p>' . esc_html__( 'There are restrictions for dragging and/or disabling the option.', 'masterstudy-lms-learning-management-system' ) . '</p><li>- <li><i class="fa fa-exclamation-triangle"></i><p>' . esc_html__( 'The option is important and is not recommended to be disabled.', 'masterstudy-lms-learning-management-system' ) . '</p><li>',+ 'description' => '<ul><li><i class="stmlms-lock-2"></i><p>' . esc_html__( 'There are restrictions for dragging and/or disabling the option.', 'masterstudy-lms-learning-management-system' ) . '</p><li>+ <li><i class="stmlms-exclamation-triangle"></i><p>' . esc_html__( 'The option is important and is not recommended to be disabled.', 'masterstudy-lms-learning-management-system' ) . '</p><li>', ), 'sorting_float_menu_learning' => array( 'type' => 'sorter',@@ -98,7 +98,7 @@ ), ), 'preview' => STM_LMS_URL . 'assets/img/sorting_the_menu/learning.png',- 'description' => '<ul><li><i class="fa fa-exclamation-triangle"></i><p>' . esc_html__( 'The option is important and is not recommended to be disabled.', 'masterstudy-lms-learning-management-system' ) . '</p><li>',+ 'description' => '<ul><li><i class="stmlms-exclamation-triangle"></i><p>' . esc_html__( 'The option is important and is not recommended to be disabled.', 'masterstudy-lms-learning-management-system' ) . '</p><li>', ), ); }
# Security Analysis of Code Diff **Vulnerability Existed: no** No security vulnerabilities are present in this diff. **Analysis:** This diff contains only cosmetic changes to CSS class names used for icon rendering in HTML descriptions: - `fa fa-lock` → `stmlms-lock-2` - `fa fa-exclamation-triangle` → `stmlms-exclamation-triangle` **Details:** - **File:** `_core/settings/main_settings/sortable_menu.php` - **Lines affected:** 43-44, 62, 81-82, 101 The changes replace Font Awesome icon classes with custom icon classes. The HTML content is already properly escaped using `esc_html__()`, which sanitizes the translatable strings. The icon class names themselves are hardcoded literals with no user input involved. **Conclusion:** This appears to be a migration from Font Awesome icons to a custom icon library. The security posture remains unchanged - the output is still properly escaped through WordPress sanitization functions, and no new attack vectors are introduced by the class name changes.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/manage_users/main.php 2026-01-08 00:35:20.106797699 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/manage_users/main.php 2026-01-08 00:38:00.848534267 +0000@@ -33,8 +33,8 @@ <th><?php esc_html_e( 'User email', 'masterstudy-lms-learning-management-system' ); ?></th> <th width="20%"><?php esc_html_e( 'User Info', 'masterstudy-lms-learning-management-system' ); ?></th> <th @click="direction = direction === 'ASC' ? 'DESC' : 'ASC'" style="cursor: pointer;">- <i class="fa fa-long-arrow-alt-up"></i>- <i class="fa fa-long-arrow-alt-down"></i>+ <i class="stmlms-long-arrow-alt-up"></i>+ <i class="stmlms-long-arrow-alt-down"></i> <?php esc_html_e( 'Submission Date', 'masterstudy-lms-learning-management-system' ); ?> </th> <?php if ( $is_ai_addon_enabled ) : ?>@@ -87,7 +87,7 @@ <div class="history_modal" v-if="historyModal.status"> <div class="history_overlay" @click="historyModal.status = false"></div> <div class="history_close" @click="historyModal.status = false">- <i class="fas fa-times"></i>+ <i class="stmlms-times"></i> </div> <div class="history_modal_body"> <div class="lms-dashboard-table">
I'll analyze this code diff for security vulnerabilities. --- **Vulnerability Existed: no** **No CWE Identified - N/A - _core/settings/manage_users/main.php Lines 36-37, 90** **Old Code:** ```html <i class="fa fa-long-arrow-alt-up"></i> <i class="fa fa-long-arrow-alt-down"></i> <!-- and --> <i class="fas fa-times"></i> ``` **Fixed Code:** ```html <i class="stmlms-long-arrow-alt-up"></i> <i class="stmlms-long-arrow-alt-down"></i> <!-- and --> <i class="stmlms-times"></i> ``` **Explanation:** This diff replaces Font Awesome icon class names (`fa`, `fas`, `fa-long-arrow-alt-up`, `fa-long-arrow-alt-down`, `fa-times`) with custom icon class names (`stmlms-long-arrow-alt-up`, `stmlms-long-arrow-alt-down`, `stmlms-times`). This is a UI/styling change—swapping one CSS icon library for another custom icon set. There are no security vulnerabilities in this change: - No injection vectors are introduced - No authentication/authorization changes - No data handling modifications - No sensitive information exposure - No privilege escalation - The HTML markup itself is properly escaped with `esc_html_e()` for text content This appears to be a dependency removal or branding update (replacing Font Awesome with a custom icon library).
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/media_library/main.php 2026-01-08 00:35:20.110797940 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/media_library/main.php 2026-01-08 00:38:00.868535482 +0000@@ -12,7 +12,7 @@ <div class="stm-lms-upload__header"> <div class="stm-lms-upload__title"><?php esc_html_e( 'Media Gallery', 'masterstudy-lms-learning-management-system' ); ?></div> <div class="stm-lms-upload__close" @click="closeModal()">- <span class="fas fa-times"></span>+ <span class="stmlms-times"></span> </div> </div> <div class="stm-lms-upload__drop">@@ -28,7 +28,7 @@ <div class="stm-lms-upload__file-type"> <div class="stm-lms-upload-select"> <div class="stm-lms-upload-select__icon">- <span class="fas fa-caret-down"></span>+ <span class="stmlms-caret-down"></span> </div> <select name="file-type" v-model="filter.fileType"> <option value="all" selected><?php esc_html_e( 'All files', 'masterstudy-lms-learning-management-system' ); ?></option>@@ -42,7 +42,7 @@ <div class="stm-lms-upload__filter"> <div class="stm-lms-upload-select"> <div class="stm-lms-upload-select__icon">- <span class="fas fa-caret-down"></span>+ <span class="stmlms-caret-down"></span> </div> <select name="sort" v-model="filter.sortBy"> <option value="post_title" selected><?php esc_html_e( 'Name: A / z', 'masterstudy-lms-learning-management-system' ); ?></option>
Analyzing the provided code diff for security vulnerabilities: --- **Vulnerability 1:** Vulnerability Existed: no [No Security Vulnerability] - [N/A] - _core/settings/media_library/main.php [15, 31, 45] Old Code: ```html <span class="fas fa-times"></span> <span class="fas fa-caret-down"></span> ``` Fixed Code: ```html <span class="stmlms-times"></span> <span class="stmlms-caret-down"></span> ``` Explanation: This diff shows a replacement of Font Awesome icon classes (`fas fa-times`, `fas fa-caret-down`) with custom icon classes (`stmlms-times`, `stmlms-caret-down`). This is a CSS class name change, likely for UI consistency or to use a custom icon library instead of Font Awesome. There is no security vulnerability in this change. The modification does not introduce any: - XSS vulnerabilities (no unsanitized user input) - SQL injection risks - Authentication/authorization bypass - Sensitive data exposure - CSRF vulnerabilities This is a benign UI/styling refactor with no security implications. --- **Summary:** No security vulnerabilities detected in this diff.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/media_library/media_library_file.php 2026-01-08 00:35:20.110797940 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/media_library/media_library_file.php 2026-01-08 00:38:00.868535482 +0000@@ -16,7 +16,7 @@ <div class="stm-lms-upload-file__date">{{ file.date }}</div> <div class="stm-lms-upload-file__size">{{ file.size }}</div> <div class="stm-lms-upload-file__actions">- <span class="fas fa-trash" @click="deleteFile(file)"></span>+ <span class="stmlms-trash-2" @click="deleteFile(file)"></span> </div> </div> </div>
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no No Security Vulnerabilities Detected - [File] _core/settings/media_library/media_library_file.php [Lines 19] Old Code: ``` <span class="fas fa-trash" @click="deleteFile(file)"></span> ``` Fixed Code: ``` <span class="stmlms-trash-2" @click="deleteFile(file)"></span> ``` Explanation: This change replaces a Font Awesome icon class (`fas fa-trash`) with a custom icon class (`stmlms-trash-2`). This is a purely cosmetic/UI change that updates which icon library or custom icon set is used to display the trash icon. There are no security implications: - No changes to the `deleteFile()` function logic or event handling - No changes to data handling, validation, or sanitization - No introduction or removal of security controls - No modification of access controls or authentication mechanisms - The Vue.js event binding (`@click="deleteFile(file)"`) remains unchanged - This is equivalent to changing CSS styling and has no security impact The diff represents a visual/branding update only, not a security fix.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/media_library/media_library_input.php 2026-01-08 00:35:20.110797940 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/media_library/media_library_input.php 2026-01-08 00:38:00.892536940 +0000@@ -21,19 +21,19 @@ </div> <span v-show="!error.status">{{ this.fileName }} - <?php esc_html_e( 'Uploading', 'masterstudy-lms-learning-management-system' ); ?> {{ this.progressBar }}%</span> <div class="progress-close" @click="clearUpload">- <i class="fas fa-times"></i>+ <i class="stmlms-times"></i> </div> </div> <div class="error-message-block" v-show="error.status"> <div class="error-message-icon">- <i class="fas fa-exclamation-circle"></i>+ <i class="stmlms-exclamation-circle"></i> </div> <div> <div class="error-message-filename">{{ this.fileName }}</div> <div class="error-message">{{ error.message }}</div> </div> <div class="error-message-close" @click="closeInput">- <i class="fas fa-times"></i>+ <i class="stmlms-times"></i> </div> </div> </div>
Vulnerability Existed: no No Security Vulnerabilities Detected - [N/A] - [_core/settings/media_library/media_library_input.php] [Lines 24, 29, 36] Old Code: ``` <i class="fas fa-times"></i> <i class="fas fa-exclamation-circle"></i> <i class="fas fa-times"></i> ``` Fixed Code: ``` <i class="stmlms-times"></i> <i class="stmlms-exclamation-circle"></i> <i class="stmlms-times"></i> ``` Explanation: This diff shows a replacement of Font Awesome icon class names (`fas fa-*`) with custom icon class names (`stmlms-*`). This is a cosmetic/branding change with no security implications. The change: - Does not introduce or remove any security vulnerabilities - Does not affect input validation, data handling, or access control - Does not modify any server-side logic or PHP code - Simply changes CSS class references for icon rendering - Does not create XSS, injection, or other security risks as the class names are hardcoded strings with no user input involved This appears to be a dependency removal or custom icon system implementation, which is a legitimate development change without security concerns.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/settings/payments/components/payments.php 2026-01-08 00:35:20.126798906 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/settings/payments/components/payments.php 2026-01-08 00:38:00.952540585 +0000@@ -16,7 +16,7 @@ </div> <div class="stm-lms-payment_header_block_description" v-if="payment_info.payment_description" > <div class="stm-lms-payment_info_block_hint">- <i class="fa fa-info-circle"></i>+ <i class="stmlms-info-circle"></i> </div> <span v-if="payment_info.payment_description" v-html="payment_info.payment_description"></span> </div>
I'll analyze this code diff for security vulnerabilities. **Vulnerability Existed:** no **No CWE - N/A** - _core/settings/payments/components/payments.php [Line 19] **Old Code:** ```html <i class="fa fa-info-circle"></i> ``` **Fixed Code:** ```html <i class="stmlms-info-circle"></i> ``` **Explanation:** This diff shows a change from using the Font Awesome icon class (`fa fa-info-circle`) to a custom icon class (`stmlms-info-circle`). This is purely a UI/styling change with no security implications. The modification: - Does not alter any security-sensitive logic - Does not change how user input is handled or displayed - Does not involve authentication, authorization, or data protection mechanisms - Is simply replacing one CSS class name with another for visual icon rendering The presence of `v-html` on line 21 (which renders HTML content) could be a XSS concern if `payment_info.payment_description` contains untrusted user input, but this is unrelated to the icon class change in this diff and exists in both versions.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/account/float_menu/logged_in.php 2026-01-08 00:35:20.138799631 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/account/float_menu/logged_in.php 2026-01-08 00:38:00.980542286 +0000@@ -16,7 +16,7 @@ ?> <div class="stm_lms_user_float_menu__scrolled_label">- <i class="fa fa-chevron-down"></i>+ <i class="stmlms-chevron-down-2"></i> </div> </div>
Vulnerability Existed: no No CWE/Security Vulnerability Identified Old Code: ```php <i class="fa fa-chevron-down"></i> ``` Fixed Code: ```php <i class="stmlms-chevron-down-2"></i> ``` Explanation: This diff represents a change in CSS class naming for an icon element, likely migrating from Font Awesome (`fa fa-chevron-down`) to a custom icon set (`stmlms-chevron-down-2`). This is purely a cosmetic/UI update with no security implications. The change does not involve: - Input validation or sanitization - Authentication or authorization logic - Data handling or exposure - Sensitive operations - Injection vectors - Access control This is a safe, non-security-related update to the front-end presentation layer.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/account/float_menu/logged_out.php 2026-01-08 00:35:20.138799631 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/account/float_menu/logged_out.php 2026-01-08 00:38:00.980542286 +0000@@ -34,7 +34,7 @@ <span> <?php esc_html_e( 'Hey, Please Login', 'masterstudy-lms-learning-management-system' ); ?> </span>- <i class="fa fa-user"></i>+ <i class="stmlms-user-2"></i> </div> <div class="stm_lms_user_float_menu__login_head">
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no Explanation: This diff shows a change from `<i class="fa fa-user"></i>` to `<i class="stmlms-user-2"></i>` in a PHP template file. This is simply replacing one CSS class name with another for icon rendering purposes. **Security Analysis:** - No injection vulnerabilities introduced or present - No authentication/authorization issues - No data exposure - The change does not involve user input, dynamic content generation, or sensitive operations - Both the old and new code are static HTML with hardcoded class names - No dangerous functions like `eval()`, `exec()`, or unescaped output of dynamic data This is a cosmetic/styling change with no security implications. The modification is a straightforward icon class replacement with no security risk.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/account/private/edit_account/change_password.php 2026-01-08 00:35:20.146800114 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/account/private/edit_account/change_password.php 2026-01-08 00:38:01.008543988 +0000@@ -11,7 +11,7 @@ <label class="heading_font"><?php esc_html_e( 'New Password', 'masterstudy-lms-learning-management-system' ); ?></label> <div class="form-group-social"> <input class="form-control masterstudy-edit-account-new-pass-input" type="password" placeholder="<?php esc_html_e( 'Enter your new password', 'masterstudy-lms-learning-management-system' ); ?>"/>- <i class="fa visible_pass fa-eye-slash masterstudy-edit-account-new-pass-icon"></i>+ <i class="visible_pass stmlms-eye-slash masterstudy-edit-account-new-pass-icon"></i> </div> </div> </div>@@ -20,7 +20,7 @@ <label class="heading_font"><?php esc_html_e( 'Re-type New Password', 'masterstudy-lms-learning-management-system' ); ?></label> <div class="form-group-social"> <input class="form-control masterstudy-edit-account-re-new-pass-input" type="password" placeholder="<?php esc_html_e( 'Enter your new password again', 'masterstudy-lms-learning-management-system' ); ?>"/>- <i class="fa visible_pass fa-eye-slash masterstudy-edit-account-re-new-pass-icon"></i>+ <i class="visible_pass stmlms-eye-slash masterstudy-edit-account-re-new-pass-icon"></i> </div> </div> </div>
Vulnerability Existed: no No vulnerabilities identified - [File] _core/stm-lms-templates/account/private/edit_account/change_password.php [Lines 14, 23] Old Code: ``` <i class="fa visible_pass fa-eye-slash masterstudy-edit-account-new-pass-icon"></i> <i class="fa visible_pass fa-eye-slash masterstudy-edit-account-re-new-pass-icon"></i> ``` Fixed Code: ``` <i class="visible_pass stmlms-eye-slash masterstudy-edit-account-new-pass-icon"></i> <i class="visible_pass stmlms-eye-slash masterstudy-edit-account-re-new-pass-icon"></i> ``` Explanation: This diff shows a change in CSS class names for icon elements from Font Awesome (`fa` and `fa-eye-slash`) to custom theme icons (`stmlms-eye-slash`). This is a styling/theming change with no security implications. The password input fields remain properly typed as `type="password"`, which ensures browser protection of password visibility. The icon classes are purely presentational and do not affect security, data handling, or authentication logic. No security vulnerabilities exist in this change.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/account/private/instructor_parts/courses.php 2026-01-08 00:35:20.154800597 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/account/private/instructor_parts/courses.php 2026-01-08 00:38:01.040545931 +0000@@ -74,7 +74,7 @@ </a> </div> <a href="<?php echo esc_url( $links['add_new'] ); ?>" class="btn btn-default" target="_blank">- <i class="fa fa-plus"></i>+ <i class="stmlms-plus-2"></i> <?php esc_html_e( 'Add New course', 'masterstudy-lms-learning-management-system' ); ?> </a> </div>@@ -102,7 +102,7 @@ <i class="stm-lms-course-reset-filter-icon"></i> </a> <a href="<?php echo esc_url( $links['add_new'] ); ?>" class="btn btn-default" target="_blank">- <i class="fa fa-plus"></i>+ <i class="stmlms-plus-2"></i> <?php esc_html_e( 'Add your first course', 'masterstudy-lms-learning-management-system' ); ?> </a> </div>
Vulnerability Existed: no No security vulnerabilities identified in this code diff. Explanation: This diff shows a template file change where Font Awesome icon class names are being replaced with custom icon class names: - `fa fa-plus` → `stmlms-plus-2` (two occurrences) This is a cosmetic/UI update to use custom iconography instead of Font Awesome icons. The change does not introduce, remove, or fix any security vulnerabilities. The code already uses proper security functions (`esc_url()` for URL escaping and `esc_html_e()` for text escaping), which remain unchanged. The icon class name itself has no security implications.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/account/private/instructor_parts/grid.php 2026-01-08 00:35:20.154800597 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/account/private/instructor_parts/grid.php 2026-01-08 00:38:01.040545931 +0000@@ -20,11 +20,11 @@ <a v-bind:href="course.link" target="_blank"> <div class="pending-message" v-if="course.status==='pending'">- <i class="fa fa-hourglass-half"></i>+ <i class="stmlms-hourglass-half"></i> <h4><?php esc_html_e( 'Pending for approval', 'masterstudy-lms-learning-management-system' ); ?></h4> </div> <div class="pending-message" v-if="course.status==='rejected'">- <i class="fa fa-times-circle"></i>+ <i class="stmlms-times-circle"></i> <h4><?php esc_html_e( 'Course Rejected', 'masterstudy-lms-learning-management-system' ); ?></h4> </div>
I'll analyze this code diff for security vulnerabilities. **Vulnerability Existed: no** **No Security Vulnerabilities Detected** Explanation: This diff shows a simple class name replacement in HTML icon elements: - `fa fa-hourglass-half` → `stmlms-hourglass-half` - `fa fa-times-circle` → `stmlms-times-circle` These changes are updating Font Awesome icon class references to custom application icon classes. This is a styling/presentation change only and does not introduce or fix any security vulnerabilities. The modification: 1. Does not affect input validation or sanitization 2. Does not modify how user data is handled 3. Does not change authentication, authorization, or access control logic 4. Does not introduce injection vulnerabilities 5. Does not expose sensitive information 6. Is purely a frontend UI class name update The `esc_html_e()` function calls remain unchanged and continue to properly escape translatable strings, maintaining XSS protection.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/account/private/instructor_parts/profile_settings_btn.php 2026-01-08 00:35:20.154800597 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/account/private/instructor_parts/profile_settings_btn.php 2026-01-08 00:38:01.044546175 +0000@@ -1,4 +1,4 @@-<a href="<?php echo esc_url(STM_LMS_User::settings_url()); ?>" class="stm_lms_instructor_profile_settings">- <i class="fa fa-cog"></i>- <?php esc_html_e('Profile settings', 'masterstudy-lms-learning-management-system'); ?>+<a href="<?php echo esc_url( STM_LMS_User::settings_url() ); ?>" class="stm_lms_instructor_profile_settings">+ <i class="stmlms-cog-2"></i>+ <?php esc_html_e( 'Profile settings', 'masterstudy-lms-learning-management-system' ); ?> </a>
Analyzing the provided code diff for security vulnerabilities:
Vulnerability Existed: no
No CWE vulnerabilities identified
Old Code:
```php
<a href="<?php echo esc_url(STM_LMS_User::settings_url()); ?>" class="stm_lms_instructor_profile_settings">
<i class="fa fa-cog"></i>
<?php esc_html_e('Profile settings', 'masterstudy-lms-learning-management-system'); ?>
</a>
```
Fixed Code:
```php
<a href="<?php echo esc_url( STM_LMS_User::settings_url() ); ?>" class="stm_lms_instructor_profile_settings">
<i class="stmlms-cog-2"></i>
<?php esc_html_e( 'Profile settings', 'masterstudy-lms-learning-management-system' ); ?>
</a>
```
Explanation:
This diff contains only formatting and styling changes with no security implications. The changes are:
1. Added spacing around function parameters (cosmetic/code style)
2. Changed indentation from spaces to tabs
3. Changed Font Awesome icon class from "fa fa-cog" to "stmlms-cog-2" (custom icon set)
All security functions remain intact:
- `esc_url()` properly sanitizes the URL output
- `esc_html_e()` properly escapes and outputs the translated string
No vulnerabilities were introduced or fixed in this update.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/account/private/manage_students/import-modal.php 2026-01-08 00:35:20.162801080 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/account/private/manage_students/import-modal.php 2026-01-08 00:38:01.076548119 +0000@@ -8,7 +8,7 @@ <span class="masterstudy-manage-students-import__modal-title"> <span data-step="1,2,3"><?php esc_html_e( 'Import students from CSV', 'masterstudy-lms-learning-management-system' ); ?></span> <span data-step="6"><?php esc_html_e( 'Import partially complete', 'masterstudy-lms-learning-management-system' ); ?></span>- </span> + </span> <span class="masterstudy-manage-students-import__modal-close"></span> </div> <div class="masterstudy-manage-students-import__modal-text">@@ -38,7 +38,7 @@ </div> <div class="masterstudy-manage-students-import__info hidden" data-step="6"> <span class="masterstudy-manage-students-import__warning">- <i class="fas fa-exclamation-triangle"></i>+ <i class="stmlms-exclamation-triangle"></i> <?php esc_html_e( 'The users below were not imported as they had already been enrolled in this course.', 'masterstudy-lms-learning-management-system' ); ?> </span> <div class="masterstudy-manage-students-import__list">@@ -46,7 +46,7 @@ </div> </div> <div class="masterstudy-manage-students-import__file-upload" data-step="1">- <div class="masterstudy-manage-students-import__file-upload__item-wrapper"></div> + <div class="masterstudy-manage-students-import__file-upload__item-wrapper"></div> <div class="masterstudy-manage-students-import__file-upload__field"> <?php STM_LMS_Templates::show_lms_template(@@ -64,9 +64,9 @@ ?> <div class="masterstudy-manage-students-import__file-upload__field-text"> <p><?php esc_html_e( 'Drag file here or click the button.', 'masterstudy-lms-learning-management-system' ); ?></p>- </div> + </div> <div class="masterstudy-manage-students-import__file-upload__field-error" data-step="1">- <i class="fas fa-exclamation-triangle"></i>+ <i class="stmlms-exclamation-triangle"></i> <span class="masterstudy-manage-students-import__unsupported-file-type hidden"> <?php esc_html_e( 'Unsupported file type.', 'masterstudy-lms-learning-management-system' ); ?> </span>@@ -85,7 +85,7 @@ ) ); ?>- </div> + </div> <input type="file" class="masterstudy-manage-students-import__file-upload__input" accept=".csv"> </div> </div>
# Security Analysis: PatchLeaks Code Diff Based on my analysis of the provided diff, here are the findings: --- **Vulnerability 1:** Vulnerability Existed: no Dependency Confusion / Supply Chain Risk - CWE-1021 - import-modal.php (Line 41) Old Code: ``` <i class="fas fa-exclamation-triangle"></i> ``` Fixed Code: ``` <i class="stmlms-exclamation-triangle"></i> ``` Explanation: This change removes a dependency on the external Font Awesome library (`fas` class prefix) and replaces it with an internal icon class (`stmlms-exclamation-triangle`). While this is not a direct security vulnerability in the code itself, it represents a security improvement by reducing reliance on external CDN-hosted dependencies. Font Awesome icons loaded from a CDN could potentially be compromised, leading to XSS attacks if the CDN is breached. By using internal icons, the application reduces its attack surface. The vulnerability did not exist in the old code per se, but this change mitigates potential supply chain risks. --- **Vulnerability 2:** Vulnerability Existed: no Dependency Confusion / Supply Chain Risk - CWE-1021 - import-modal.php (Line 68) Old Code: ``` <i class="fas fa-exclamation-triangle"></i> ``` Fixed Code: ``` <i class="stmlms-exclamation-triangle"></i> ``` Explanation: Same as Vulnerability 1 - another instance of replacing Font Awesome external dependency with internal icon class. This is a supply chain security improvement rather than a fix for an active vulnerability. --- **Additional Changes:** Vulnerability Existed: no Whitespace Cleanup - No CWE - import-modal.php (Lines 11, 49, 67, 88) Old Code: ``` </span> </div> </div> </div> ``` Fixed Code: ``` </span> </div> </div> </div> ``` Explanation: Trailing whitespace removal. This is a code quality improvement with no security implications. --- **Summary:** No active security vulnerabilities were fixed in this diff. The primary security-related change is the mitigation of supply chain risk by removing external Font Awesome dependencies.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/account/private/parts/avatar_edit.php 2026-01-08 00:35:20.166801321 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/account/private/parts/avatar_edit.php 2026-01-08 00:38:01.096549334 +0000@@ -18,7 +18,7 @@ <?php if ( ! empty( $my_avatar ) ) : ?> <i class="stmlms-cross delete_avatar"></i> <?php endif; ?>- <i class="fa-dashcam" data-text="<?php esc_attr_e( 'Change photo', 'masterstudy-lms-learning-management-system' ); ?>"></i>+ <i class="stmlms-dashcam" data-text="<?php esc_attr_e( 'Change photo', 'masterstudy-lms-learning-management-system' ); ?>"></i> <?php if ( ! empty( $current_user['avatar'] ) ) : ?> <div class="stm-lms-user_avatar"> <?php echo wp_kses_post( $current_user['avatar'] ); ?>
Vulnerability Existed: no No Security Vulnerability Identified Old Code: ``` <i class="fa-dashcam" data-text="<?php esc_attr_e( 'Change photo', 'masterstudy-lms-learning-management-system' ); ?>"></i> ``` Fixed Code: ``` <i class="stmlms-dashcam" data-text="<?php esc_attr_e( 'Change photo', 'masterstudy-lms-learning-management-system' ); ?>"></i> ``` Explanation: This change is a CSS class name update from `fa-dashcam` to `stmlms-dashcam`, likely related to icon library migration or branding consistency. The output is already properly escaped using `esc_attr_e()`, which safely escapes the translatable string for use in HTML attributes. This is a cosmetic/styling change with no security implications. The escaping function remains in place and unchanged, so no vulnerability is present in either version.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/account/private/parts/certificate-list.php 2026-01-08 00:35:20.170801563 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/account/private/parts/certificate-list.php 2026-01-08 00:38:01.108550063 +0000@@ -83,7 +83,7 @@ <div class="affiliate_points heading_font" data-copy="<?php echo esc_attr( $code ); ?>"> <span class="hidden" id="<?php echo esc_attr( $code ); ?>"><?php echo esc_html( $code ); ?></span> <span class="affiliate_points__btn">- <i class="fa fa-link"></i>+ <i class="stmlms-link-2"></i> <span class="text"><?php esc_html_e( 'Copy code', 'masterstudy-lms-learning-management-system' ); ?></span> </span> </div>
Vulnerability Existed: no No Security Vulnerability Detected - [File] certificate-list.php [Lines 86] Old Code: ```php <i class="fa fa-link"></i> ``` Fixed Code: ```php <i class="stmlms-link-2"></i> ``` Explanation: This change replaces a Font Awesome icon class reference with a custom icon class. This is not a security fix—it's a UI/styling update. The change involves: - Removing the Font Awesome dependency reference (`fa fa-link`) - Using a custom icon class (`stmlms-link-2`) instead Neither the old nor the new code presents a security vulnerability. No input validation, output encoding, or security-sensitive operations are involved. The HTML is already properly escaped with `esc_attr()` and `esc_html()` functions for the data attributes and text content respectively. This is purely a frontend styling/icon library change with no security implications.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/account/private/parts/enrolled-courses.php 2026-01-08 00:35:20.170801563 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/account/private/parts/enrolled-courses.php 2026-01-08 00:38:01.116550549 +0000@@ -212,7 +212,7 @@ <div class="stm_lms_instructor_courses__single--progress"> <div class="stm_lms_instructor_courses__single--progress_top"> <div class="stm_lms_instructor_courses__single--duration" v-if="course.duration">- <i class="far fa-clock"></i>+ <i class="stmlms-clock"></i> {{ course.duration }} </div> <div class="stm_lms_instructor_courses__single--completed">
Vulnerability Existed: no No Vulnerability - Icon Class Change - _core/stm-lms-templates/account/private/parts/enrolled-courses.php - Line 215 Old Code: ``` <i class="far fa-clock"></i> ``` Fixed Code: ``` <i class="stmlms-clock"></i> ``` Explanation: This change replaces a Font Awesome icon class reference (`far fa-clock`) with a custom icon class (`stmlms-clock`). This is a purely presentational modification with no security implications. The change does not involve any data handling, validation, sanitization, or security-related code. It's a UI/UX update to use a different icon library or custom icon set, which does not introduce or fix any security vulnerabilities.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/account/private/parts/expiration.php 2026-01-08 00:35:20.174801804 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/account/private/parts/expiration.php 2026-01-08 00:38:01.128551278 +0000@@ -2,7 +2,7 @@ <div v-else class="stm_lms_expired_notice__wrapper"> <div class="stm_lms_expired_notice warning_expired">- <i class="far fa-clock"></i>+ <i class="stmlms-clock"></i> <template v-if="course.is_expired && !course.membership_expired && !course.membership_inactive"> <?php esc_html_e( 'Course has expired', 'masterstudy-lms-learning-management-system' ); ?> </template>
Based on my analysis of the provided code diff: **Vulnerability Existed: no** **No CWE Vulnerability Identified** **Old Code:** ```html <i class="far fa-clock"></i> ``` **Fixed Code:** ```html <i class="stmlms-clock"></i> ``` **Explanation:** This diff represents a change in CSS class names for an icon element, transitioning from Font Awesome (`far fa-clock`) to a custom icon class (`stmlms-clock`). This is a cosmetic/styling change with no security implications. The modification does not: - Introduce or fix any input validation issues - Change how user data is handled or displayed - Modify access control mechanisms - Alter output encoding or escaping - Introduce any code execution paths - Affect authentication or authorization logic This is purely a frontend icon class update and presents no security vulnerabilities.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/account/private/parts/logout.php 2026-01-08 00:35:20.174801804 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/account/private/parts/logout.php 2026-01-08 00:38:01.132551521 +0000@@ -1,6 +1,6 @@-<a href="<?php echo wp_logout_url(get_home_url()); ?>" class="stm-lms-logout-button btn btn-default">- <i class="fas fa-power-off"></i>- <span>- <?php esc_html_e('Log out', 'masterstudy-lms-learning-management-system'); ?>- </span>-</a>\ No newline at end of file+<a href="<?php echo esc_attr( wp_logout_url( get_home_url() ) ); ?>" class="stm-lms-logout-button btn btn-default">+ <i class="stmlms-power-off"></i>+ <span>+ <?php esc_html_e( 'Log out', 'masterstudy-lms-learning-management-system' ); ?>+ </span>+</a>
``` Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - _core/stm-lms-templates/account/private/parts/logout.php - Line 1 Old Code: <a href="<?php echo wp_logout_url(get_home_url()); ?>" class="stm-lms-logout-button btn btn-default"> Fixed Code: <a href="<?php echo esc_attr( wp_logout_url( get_home_url() ) ); ?>" class="stm-lms-logout-button btn btn-default"> Explanation: The original code output the result of wp_logout_url() directly into an HTML attribute without escaping. While wp_logout_url() itself is a trusted WordPress function, the output should be escaped when placed in an HTML context to prevent potential XSS attacks if the URL contains special characters or if the function's behavior changes. The fix applies esc_attr() to properly escape the URL for use in an HTML attribute, which is the correct WordPress security practice for attribute output. ```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/account/private/parts/settings_button.php 2026-01-08 00:35:20.178802046 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/account/private/parts/settings_button.php 2026-01-08 00:38:01.140552007 +0000@@ -8,8 +8,8 @@ <br/> <div class="stm-lms-user_edit_profile_btn __bordered">- <a href="<?php echo esc_url(STM_LMS_User::settings_url()); ?>">- <i class="fa fa-cog"></i>- <span><?php esc_html_e('Settings', 'masterstudy-lms-learning-management-system'); ?></span>+ <a href="<?php echo esc_url( STM_LMS_User::settings_url() ); ?>">+ <i class="stmlms-cog-2"></i>+ <span><?php esc_html_e( 'Settings', 'masterstudy-lms-learning-management-system' ); ?></span> </a> </div>
Vulnerability Existed: no
No CWE - N/A - _core/stm-lms-templates/account/private/parts/settings_button.php (Lines 11-13)
Old Code:
```php
<a href="<?php echo esc_url(STM_LMS_User::settings_url()); ?>">
<i class="fa fa-cog"></i>
<span><?php esc_html_e('Settings', 'masterstudy-lms-learning-management-system'); ?></span>
</a>
```
Fixed Code:
```php
<a href="<?php echo esc_url( STM_LMS_User::settings_url() ); ?>">
<i class="stmlms-cog-2"></i>
<span><?php esc_html_e( 'Settings', 'masterstudy-lms-learning-management-system' ); ?></span>
</a>
```
Explanation:
This diff contains no security fixes or vulnerabilities. The changes are purely cosmetic and stylistic:
1. Addition of whitespace around function parameters in `esc_url()` and `esc_html_e()` calls (code formatting)
2. Icon class change from `fa fa-cog` to `stmlms-cog-2` (UI/styling update)
Both the old and new code properly use WordPress security functions (`esc_url()` for URL escaping and `esc_html_e()` for output escaping). The modifications do not introduce or fix any security vulnerabilities—they are purely maintenance and UI refinements.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/account/private/parts/socials.php 2026-01-08 00:35:20.178802046 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/account/private/parts/socials.php 2026-01-08 00:38:01.140552007 +0000@@ -15,7 +15,7 @@ class="<?php echo esc_attr( $social ); ?> stm_lms_update_field__<?php echo esc_attr( $social ); ?>" > <?php if ( 'twitter' !== $social ) { ?>- <i class="fab fa-<?php echo esc_attr( $fields[ $social ]['icon'] ); ?>"></i>+ <i class="stmlms-<?php echo esc_attr( $fields[ $social ]['icon'] ); ?>"></i> <?php } ?> </a> <?php
Vulnerability Existed: no Cross-Site Scripting (XSS) - CWE-79 - _core/stm-lms-templates/account/private/parts/socials.php - Line 18 Old Code: ```php <i class="fab fa-<?php echo esc_attr( $fields[ $social ]['icon'] ); ?>"></i> ``` Fixed Code: ```php <i class="stmlms-<?php echo esc_attr( $fields[ $social ]['icon'] ); ?>"></i> ``` Explanation: No vulnerability existed in either version. Both the old and fixed code properly use `esc_attr()` to escape the output of `$fields[ $social ]['icon']` before inserting it into an HTML class attribute. The `esc_attr()` function is the appropriate WordPress escaping function for attribute context and prevents XSS attacks. The change from `fab fa-` to `stmlms-` is simply updating the CSS class prefix (likely from FontAwesome to a custom icon library), not a security fix. Both versions are equally secure against XSS.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/account/private/parts/tabs.php 2026-01-08 00:35:20.178802046 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/account/private/parts/tabs.php 2026-01-08 00:38:01.144552250 +0000@@ -16,7 +16,7 @@ } if ( is_user_logged_in() ) { ?>- <div class="stm_lms_acc_tabs + <div class="stm_lms_acc_tabs <?php if ( ! empty( $sub_items ) ) { echo esc_attr( 'has_sub_items' );}@@ -35,7 +35,7 @@ </div> <?php if ( ! empty( $sub_items ) ) { ?> <div class="stm_lms_acc_tabs__secondary">- <i class="stm_lms_acc_tabs__toggle fa fa-ellipsis-v"></i>+ <i class="stm_lms_acc_tabs__toggle stmlms-ellipsis-v"></i> <div class="stm_lms_acc_tabs__secondary_inner"> <?php foreach ( $sub_items as $menu_section ) { ?> <div class="stm_lms_acc_tabs__secondary_inner__section">
# Security Analysis Results Vulnerability 1: Vulnerability Existed: no No CWE - N/A - _core/stm-lms-templates/account/private/parts/tabs.php - Lines 19 [Old Code] ``` <div class="stm_lms_acc_tabs ``` [Fixed Code] ``` <div class="stm_lms_acc_tabs ``` Explanation: This change removes trailing whitespace from a class attribute. This is a code cleanup/formatting fix with no security implications. HTML/CSS trailing spaces in class names do not introduce vulnerabilities. --- Vulnerability 2: Vulnerability Existed: no No CWE - N/A - _core/stm-lms-templates/account/private/parts/tabs.php - Line 38 [Old Code] ``` <i class="stm_lms_acc_tabs__toggle fa fa-ellipsis-v"></i> ``` [Fixed Code] ``` <i class="stm_lms_acc_tabs__toggle stmlms-ellipsis-v"></i> ``` Explanation: This change replaces Font Awesome icon class references (`fa fa-ellipsis-v`) with a custom icon class (`stmlms-ellipsis-v`). This is a UI/styling change, likely updating to use a custom icon set instead of Font Awesome. No security vulnerability exists here—it's a class name replacement that does not affect security, input validation, authentication, authorization, or data handling. --- **Summary:** The diff contains only formatting and styling updates with no security vulnerabilities.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/buddypress/account/v1/private/instructor_parts/info.php 2026-01-08 00:35:20.194803012 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/buddypress/account/v1/private/instructor_parts/info.php 2026-01-08 00:38:01.256559054 +0000@@ -21,7 +21,7 @@ <?php if ( ! empty( $my_avatar ) ) : ?> <i class="stmlms-cross delete_avatar"></i> <?php endif; ?>- <i class="fa-dashcam" data-text="<?php esc_attr_e( 'Change photo', 'masterstudy-lms-learning-management-system' ); ?>"></i>+ <i class="stmlms-dashcam" data-text="<?php esc_attr_e( 'Change photo', 'masterstudy-lms-learning-management-system' ); ?>"></i> <?php if ( ! empty( $current_user['avatar'] ) ) : ?> <div class="stm-lms-user_avatar"> <?php echo wp_kses_post( $current_user['avatar'] ); ?>
Analyzing the provided code diff for security vulnerabilities: --- **Vulnerability Existed:** no **No Security Vulnerability Detected** - _core/stm-lms-templates/buddypress/account/v1/private/instructor_parts/info.php [Line 24] **Old Code:** ```php <i class="fa-dashcam" data-text="<?php esc_attr_e( 'Change photo', 'masterstudy-lms-learning-management-system' ); ?>"></i> ``` **Fixed Code:** ```php <i class="stmlms-dashcam" data-text="<?php esc_attr_e( 'Change photo', 'masterstudy-lms-learning-management-system' ); ?>"></i> ``` **Explanation:** This change is a CSS class name update from `fa-dashcam` to `stmlms-dashcam`. Both the old and new code use `esc_attr_e()`, which is a WordPress security function that properly escapes and outputs translated text for HTML attributes. The modification only affects the icon class styling and does not introduce or remove any security vulnerabilities. The text escaping mechanism remains identical and secure in both versions. This is a cosmetic/styling change, not a security fix or vulnerability.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/buddypress/account/v1/private/parts/info.php 2026-01-08 00:35:20.194803012 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/buddypress/account/v1/private/parts/info.php 2026-01-08 00:38:01.292561242 +0000@@ -20,7 +20,7 @@ <?php if ( ! empty( $my_avatar ) ) : ?> <i class="stmlms-cross delete_avatar"></i> <?php endif; ?>- <i class="fa-dashcam" data-text="<?php esc_attr_e( 'Change photo', 'masterstudy-lms-learning-management-system' ); ?>"></i>+ <i class="stmlms-dashcam" data-text="<?php esc_attr_e( 'Change photo', 'masterstudy-lms-learning-management-system' ); ?>"></i> <?php if ( ! empty( $current_user['avatar'] ) ) : ?> <div class="stm-lms-user_avatar"> <?php echo wp_kses_post( $current_user['avatar'] ); ?>
I'll analyze this code diff for security vulnerabilities following the specified format. --- **Vulnerability Existed: no** **No Security Vulnerability - CSS Class Name Change** **Old Code:** ```php <i class="fa-dashcam" data-text="<?php esc_attr_e( 'Change photo', 'masterstudy-lms-learning-management-system' ); ?>"></i> ``` **Fixed Code:** ```php <i class="stmlms-dashcam" data-text="<?php esc_attr_e( 'Change photo', 'masterstudy-lms-learning-management-system' ); ?>"></i> ``` **Explanation:** This diff shows a CSS class name change from `fa-dashcam` to `stmlms-dashcam`. This is a cosmetic/styling change with no security implications. The change does not affect: - Input validation or sanitization - Authentication or authorization logic - Data handling or storage - Privilege escalation vectors - XSS vulnerabilities (the `esc_attr_e()` function properly escapes the translatable string in the `data-text` attribute) - SQL injection risks - Sensitive information exposure The `esc_attr_e()` function was already present in both versions and correctly escapes the text for safe HTML attribute usage, ensuring proper protection against XSS attacks. The only modification is the icon class name reference, which appears to be a migration from a Font Awesome icon class to a custom `stmlms-` prefixed class. **Result: No vulnerability exists in this diff.**
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/buddypress/account/v1/private/parts/socials.php 2026-01-08 00:35:20.194803012 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/buddypress/account/v1/private/parts/socials.php 2026-01-08 00:38:01.292561242 +0000@@ -3,35 +3,35 @@ * @var $current_user */ -$socials = array('facebook', 'twitter', 'instagram', 'google-plus');-$fields = STM_LMS_User::extra_fields();-$rating = STM_LMS_Instructor::my_rating($current_user);+$socials = array( 'facebook', 'twitter', 'instagram', 'google-plus' );+$fields = STM_LMS_User::extra_fields();+$rating = STM_LMS_Instructor::my_rating( $current_user ); ?> <div class="stm_lms_user_info_top__wrapper"> - <div class="stm_lms_user_info_top__socials">- <?php foreach ($socials as $social): ?>- <?php if (!empty($current_user['meta'][$social])): ?>- <a href="<?php echo esc_url($current_user['meta'][$social]); ?>"- target="_blank"- class="<?php echo esc_attr($social); ?> stm_lms_update_field__<?php echo esc_attr($social); ?>">- <i class="fab fa-<?php echo esc_attr($fields[$social]['icon']) ?>"></i>- </a>- <?php endif; ?>- <?php endforeach; ?>- </div>+ <div class="stm_lms_user_info_top__socials">+ <?php foreach ( $socials as $social ) : ?>+ <?php if ( ! empty( $current_user['meta'][ $social ] ) ) : ?>+ <a href="<?php echo esc_url( $current_user['meta'][ $social ] ); ?>"+ target="_blank"+ class="<?php echo esc_attr( $social ); ?> stm_lms_update_field__<?php echo esc_attr( $social ); ?>">+ <i class="stmlms-<?php echo esc_attr( $fields[ $social ]['icon'] ); ?>"></i>+ </a>+ <?php endif; ?>+ <?php endforeach; ?>+ </div> - <?php if (!empty($rating['total'])): ?>- <div class="stm-lms-user_rating">- <div class="star-rating star-rating__big">- <span style="width: <?php echo floatval($rating['percent']); ?>%;"></span>- </div>- <strong class="rating heading_font"><?php echo floatval($rating['average']); ?></strong>- <div class="stm-lms-user_rating__total">- <?php echo sanitize_text_field($rating['total_marks']); ?>- </div>- </div>- <?php endif; ?>+ <?php if ( ! empty( $rating['total'] ) ) : ?>+ <div class="stm-lms-user_rating">+ <div class="star-rating star-rating__big">+ <span style="width: <?php echo floatval( $rating['percent'] ); ?>%;"></span>+ </div>+ <strong class="rating heading_font"><?php echo floatval( $rating['average'] ); ?></strong>+ <div class="stm-lms-user_rating__total">+ <?php echo wp_kses_post( $rating['total_marks'] ); ?>+ </div>+ </div>+ <?php endif; ?> -</div>\ No newline at end of file+</div>
Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - socials.php Line 32 [Old Code] <?php echo sanitize_text_field($rating['total_marks']); ?> [Fixed Code] <?php echo wp_kses_post( $rating['total_marks'] ); ?> Explanation: The original code used `sanitize_text_field()` which removes HTML tags but does not properly escape HTML entities. This is insufficient for safely outputting content that may contain HTML markup. The fix uses `wp_kses_post()`, which is WordPress's proper function for sanitizing and escaping content that may contain HTML tags and attributes. This prevents XSS attacks where malicious scripts could be injected through the `$rating['total_marks']` variable. --- Vulnerability Existed: not sure Icon Class Rendering Change - socials.php Line 19 [Old Code] <i class="fab fa-<?php echo esc_attr($fields[$social]['icon']) ?>"></i> [Fixed Code] <i class="stmlms-<?php echo esc_attr( $fields[ $social ]['icon'] ); ?>"></i> Explanation: The class prefix changed from `fab fa-` (Font Awesome) to `stmlms-`. While `esc_attr()` is properly used in both versions to prevent attribute injection, the semantic change in icon class libraries could indicate a security fix if the previous Font Awesome CDN was vulnerable or if the new icon library is more secure. However, without additional context about why this change was made, it's uncertain whether this addresses a security vulnerability or is simply a UI/style update.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/components/buy-button/paid-courses/paid-courses.php 2026-01-08 00:35:20.222804702 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/components/buy-button/paid-courses/paid-courses.php 2026-01-08 00:38:01.428569504 +0000@@ -13,18 +13,19 @@ wp_enqueue_style( 'masterstudy-button' ); -$logged_in = is_user_logged_in();-$price = get_post_meta( $post_id, 'price', true );-$sale_price = get_post_meta( $post_id, 'sale_price', true );-$single_sale = get_post_meta( $post_id, 'single_sale', true );-$not_in_membership = get_post_meta( $post_id, 'not_membership', true );-$points_price = class_exists( 'STM_LMS_Point_System' ) ? STM_LMS_Point_System::course_price( $post_id ) : null;-$enterprise_price = class_exists( 'STM_LMS_Enterprise_Courses' ) ? STM_LMS_Enterprise_Courses::get_enterprise_price( $post_id ) : null;-$group_course_show = $prerequisite_passed && empty( $hide_group_course ) && ! empty( $enterprise_price ) && $logged_in;-$show_buttons = apply_filters( 'stm_lms_pro_show_button', true, $post_id );-$sale_price_active = STM_LMS_Helpers::is_sale_price_active( $post_id );-$is_sale = ! empty( $sale_price ) && ! empty( $sale_price_active );-$guest_checkout = STM_LMS_Options::get_option( 'guest_checkout', false );+$logged_in = is_user_logged_in();+$price = get_post_meta( $post_id, 'price', true );+$sale_price = get_post_meta( $post_id, 'sale_price', true );+$single_sale = get_post_meta( $post_id, 'single_sale', true );+$not_in_membership = get_post_meta( $post_id, 'not_membership', true );+$is_subscriptions_enabled = get_post_meta( $post_id, 'subscriptions', true );+$points_price = class_exists( 'STM_LMS_Point_System' ) ? STM_LMS_Point_System::course_price( $post_id ) : null;+$enterprise_price = class_exists( 'STM_LMS_Enterprise_Courses' ) ? STM_LMS_Enterprise_Courses::get_enterprise_price( $post_id ) : null;+$group_course_show = $prerequisite_passed && empty( $hide_group_course ) && ! empty( $enterprise_price ) && $logged_in;+$show_buttons = apply_filters( 'stm_lms_pro_show_button', true, $post_id );+$sale_price_active = STM_LMS_Helpers::is_sale_price_active( $post_id );+$is_sale = ! empty( $sale_price ) && ! empty( $sale_price_active );+$guest_checkout = STM_LMS_Options::get_option( 'guest_checkout', false ); $pmpro_plans_courses = array(); $pmpro_plans_have_quota = false;@@ -36,9 +37,11 @@ $ms_payment_plans = array(); if ( $ms_subscription_enabled ) {- $subs_repo = new SubscriptionPlanRepository();- $ms_membership_plans = $subs_repo->get_enabled_plans_for_course( (int) $post_id );- $ms_subscription_plans = $subs_repo->get_course_plans( $post_id );+ $subs_repo = new SubscriptionPlanRepository();+ $ms_membership_plans = $subs_repo->get_enabled_plans_for_course( (int) $post_id );+ if ( ! empty( $is_subscriptions_enabled ) ) {+ $ms_subscription_plans = $subs_repo->get_course_plans( $post_id );+ } } if ( $pmpro_subscription_enabled ) {
```
Vulnerability Existed: no
No vulnerabilities detected - Code Formatting and Logic Enhancement
File: _core/stm-lms-templates/components/buy-button/paid-courses/paid-courses.php
Lines: 16-29, 40-44
Old Code:
$logged_in = is_user_logged_in();
$price = get_post_meta( $post_id, 'price', true );
$sale_price = get_post_meta( $post_id, 'sale_price', true );
$single_sale = get_post_meta( $post_id, 'single_sale', true );
$not_in_membership = get_post_meta( $post_id, 'not_membership', true );
$points_price = class_exists( 'STM_LMS_Point_System' ) ? STM_LMS_Point_System::course_price( $post_id ) : null;
...
if ( $ms_subscription_enabled ) {
$subs_repo = new SubscriptionPlanRepository();
$ms_membership_plans = $subs_repo->get_enabled_plans_for_course( (int) $post_id );
$ms_subscription_plans = $subs_repo->get_course_plans( $post_id );
}
Fixed Code:
$logged_in = is_user_logged_in();
$price = get_post_meta( $post_id, 'price', true );
$sale_price = get_post_meta( $post_id, 'sale_price', true );
$single_sale = get_post_meta( $post_id, 'single_sale', true );
$not_in_membership = get_post_meta( $post_id, 'not_membership', true );
$is_subscriptions_enabled = get_post_meta( $post_id, 'subscriptions', true );
$points_price = class_exists( 'STM_LMS_Point_System' ) ? STM_LMS_Point_System::course_price( $post_id ) : null;
...
if ( $ms_subscription_enabled ) {
$subs_repo = new SubscriptionPlanRepository();
$ms_membership_plans = $subs_repo->get_enabled_plans_for_course( (int) $post_id );
if ( ! empty( $is_subscriptions_enabled ) ) {
$ms_subscription_plans = $subs_repo->get_course_plans( $post_id );
}
}
Explanation:
This diff contains code formatting improvements (variable alignment) and a logic enhancement, not security fixes. The new variable `$is_subscriptions_enabled` is introduced and wrapped in a conditional check before calling `$subs_repo->get_course_plans()`. This is a preventative check to ensure the subscription plans are only retrieved when subscriptions are enabled for the course. The changes do not address or fix any existing security vulnerabilities - they are purely functional improvements to code quality and logic flow. The `get_post_meta()` calls use proper sanitization through WordPress core functions, and there is no evidence of SQL injection, XSS, or other OWASP vulnerabilities being introduced or fixed.
```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/courses/advanced_filters/filters/availability.php 2026-01-08 00:35:20.590826923 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/courses/advanced_filters/filters/availability.php 2026-01-08 00:38:01.824593564 +0000@@ -25,7 +25,7 @@ ?> value="<?php echo esc_html( $status ); ?>" name="availability"/>- <span><i class="fa fa-check"></i> </span>+ <span><i class="stmlms-check-3"></i> </span> </span> <span><?php echo esc_html( $status_label ); ?></span> </label>
Analyzing the provided code diff:
Vulnerability Existed: no
No Security Vulnerability - [File] cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/courses/advanced_filters/filters/availability.php [Line 28]
Old Code:
```php
<span><i class="fa fa-check"></i> </span>
```
Fixed Code:
```php
<span><i class="stmlms-check-3"></i> </span>
```
Explanation:
This change is a cosmetic update replacing an external Font Awesome icon class reference ("fa fa-check") with an internal custom icon class ("stmlms-check-3"). This is not a security fix, but rather a UI/dependency management change. The code properly uses `esc_html()` for the value attribute, and the icon class name change does not introduce or fix any security vulnerabilities. No XSS, injection, or other security issues are present in either version.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/courses/advanced_filters/filters/category.php 2026-01-08 00:35:20.590826923 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/courses/advanced_filters/filters/category.php 2026-01-08 00:38:01.844594779 +0000@@ -34,12 +34,12 @@ <span class="stm_lms_styled_checkbox__inner"> <input type="checkbox" <?php- if ( in_array( intval( $term->term_id ), $values ) ) {+ if ( in_array( intval( $term->term_id ), $values, true ) ) { echo 'checked="checked"';} ?> value="<?php echo intval( $term->term_id ); ?>" name="category[]"/>- <span><i class="fa fa-check"></i> </span>+ <span><i class="stmlms-check-3"></i> </span> </span> <span><?php echo esc_html( $term->name ); ?></span> </label>
Vulnerability Existed: yes
TRUE POSITIVE
Loose Comparison - Logic Error (Implicit Type Coercion) - CWE-1025 - category.php - Line 37
Old Code:
```php
if ( in_array( intval( $term->term_id ), $values ) ) {
```
Fixed Code:
```php
if ( in_array( intval( $term->term_id ), $values, true ) ) {
```
Explanation:
The original code uses `in_array()` without the strict parameter (defaults to `false`), which performs loose comparison using `==` instead of strict comparison using `===`. This can lead to type juggling vulnerabilities where different types may be considered equal. For example, `0 == "string"` evaluates to `true` in PHP. By adding `true` as the third parameter, the function now performs strict type checking, ensuring that both the value and type must match. This is a security fix because it prevents potential logic bypasses through type coercion attacks.
---
Vulnerability Existed: no
Icon Class Change - Non-Security Update - category.php - Line 42
Old Code:
```php
<span><i class="fa fa-check"></i> </span>
```
Fixed Code:
```php
<span><i class="stmlms-check-3"></i> </span>
```
Explanation:
This change replaces a FontAwesome icon class (`fa fa-check`) with a custom theme icon class (`stmlms-check-3`). This is a UI/styling change with no security implications. It does not introduce or fix any security vulnerabilities—it's purely a presentational update to use the theme's icon library instead of an external dependency.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/courses/advanced_filters/filters/instructor.php 2026-01-08 00:35:20.594827165 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/courses/advanced_filters/filters/instructor.php 2026-01-08 00:38:01.844594779 +0000@@ -39,7 +39,7 @@ ?> value="<?php echo sanitize_text_field( $user->ID ); //phpcs:ignore ?>" name="instructor[]"/>- <span><i class="fa fa-check"></i> </span>+ <span><i class="stmlms-check-3"></i> </span> </span> <span><?php echo esc_html( STM_LMS_User::display_name( $user ) ); ?></span> </label>
``` Vulnerability Existed: no No Security Vulnerability - Icon Class Update Explanation: This diff shows a change from `fa fa-check` (Font Awesome icon class) to `stmlms-check-3` (custom icon class). This is a cosmetic/styling change with no security implications. The modification does not involve: - Input validation or sanitization changes - Authentication or authorization logic - Data handling or processing - External data sources or API calls - File operations or system commands - Database queries The existing code already properly sanitizes the user ID using `sanitize_text_field()` and escapes the display name using `esc_html()`. The icon class change does not affect security posture in any way. ```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/courses/advanced_filters/filters/levels.php 2026-01-08 00:35:20.594827165 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/courses/advanced_filters/filters/levels.php 2026-01-08 00:38:01.844594779 +0000@@ -20,13 +20,13 @@ <span class="stm_lms_styled_checkbox__inner"> <input type="checkbox" <?php- if ( in_array( sanitize_text_field( $status ), $values ) ) {+ if ( in_array( sanitize_text_field( $status ), $values, true ) ) { echo 'checked="checked"'; } ?> value="<?php echo sanitize_text_field( $status ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>" name="levels[]"/>- <span><i class="fa fa-check"></i> </span>+ <span><i class="stmlms-check-3"></i> </span> </span> <span><?php echo esc_html( $status_label ); ?></span> </label>
I'll analyze this code diff for security vulnerabilities.
---
**Vulnerability 1:**
Vulnerability Existed: yes
TRUE POSITIVE
Loose Comparison Type Juggling - CWE-1025 - _core/stm-lms-templates/courses/advanced_filters/filters/levels.php [Line 23]
Old Code:
```php
if ( in_array( sanitize_text_field( $status ), $values ) ) {
```
Fixed Code:
```php
if ( in_array( sanitize_text_field( $status ), $values, true ) ) {
```
Explanation:
The `in_array()` function without the third parameter (strict mode) performs loose type comparison. This can lead to unexpected matches due to PHP's type juggling. For example, the string "0" would match the integer 0, or "1e2" would match 100. By adding the third parameter `true`, the function now performs strict comparison (checking both value AND type), preventing potential type juggling vulnerabilities. This is particularly important in security contexts where user input is being compared against expected values.
---
**Vulnerability 2:**
Vulnerability Existed: no
Icon Class Name Change - No CWE - _core/stm-lms-templates/courses/advanced_filters/filters/levels.php [Line 29]
Old Code:
```php
<span><i class="fa fa-check"></i> </span>
```
Fixed Code:
```php
<span><i class="stmlms-check-3"></i> </span>
```
Explanation:
This change replaces the Font Awesome icon class "fa fa-check" with a custom icon class "stmlms-check-3". This is a non-security change related to UI/styling and does not introduce or fix any security vulnerabilities. It's simply updating the icon library being used.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/courses/advanced_filters/filters/price.php 2026-01-08 00:35:20.598827406 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/courses/advanced_filters/filters/price.php 2026-01-08 00:38:01.844594779 +0000@@ -1,43 +1,47 @@ <?php -$values = (!empty($_GET['price'])) ? $_GET['price'] : array();+$values = ( ! empty( $_GET['price'] ) ) ? $_GET['price'] : array(); $statuses = array(- 'free_courses' => esc_html__('Free Courses', 'masterstudy-lms-learning-management-system'),- 'paid_courses' => esc_html__('Paid Courses', 'masterstudy-lms-learning-management-system'),- 'subscription' => esc_html__('Only Subscription', 'masterstudy-lms-learning-management-system'),+ 'free_courses' => esc_html__( 'Free Courses', 'masterstudy-lms-learning-management-system' ),+ 'paid_courses' => esc_html__( 'Paid Courses', 'masterstudy-lms-learning-management-system' ),+ 'subscription' => esc_html__( 'Only Subscription', 'masterstudy-lms-learning-management-system' ), ); -if (!empty($statuses)) : ?>+if ( ! empty( $statuses ) ) : ?> - <div class="stm_lms_courses__filter stm_lms_courses__search">+ <div class="stm_lms_courses__filter stm_lms_courses__search"> - <div class="stm_lms_courses__filter_heading">- <h3><?php esc_html_e('Price', 'masterstudy-lms-learning-management-system'); ?></h3>- <div class="toggler"></div>- </div>+ <div class="stm_lms_courses__filter_heading">+ <h3><?php esc_html_e( 'Price', 'masterstudy-lms-learning-management-system' ); ?></h3>+ <div class="toggler"></div>+ </div>++ <div class="stm_lms_courses__filter_content" style="display: none;">++ <?php foreach ( $statuses as $status => $status_label ) : ?>++ <div class="stm_lms_courses__filter_category">+ <label class="stm_lms_styled_checkbox">+ <span class="stm_lms_styled_checkbox__inner">+ <input type="checkbox"+ <?php+ if ( in_array( sanitize_text_field( $status ), $values, true ) ) {+ echo 'checked="checked"';}+ ?>+ value="<?php echo sanitize_text_field( $status ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>"+ name="price[]"/>+ <span><i class="stmlms-check-3"></i> </span>+ </span>+ <span><?php echo esc_html( $status_label ); ?></span>+ </label>+ </div> - <div class="stm_lms_courses__filter_content" style="display: none;">+ <?php endforeach; ?> - <?php foreach ($statuses as $status => $status_label): ?>+ </div> - <div class="stm_lms_courses__filter_category">- <label class="stm_lms_styled_checkbox">- <span class="stm_lms_styled_checkbox__inner">- <input type="checkbox"- <?php if ( in_array(sanitize_text_field($status), $values) ) echo 'checked="checked"'; ?>- value="<?php echo sanitize_text_field($status); ?>"- name="price[]"/>- <span><i class="fa fa-check"></i> </span>- </span>- <span><?php echo esc_html($status_label); ?></span>- </label>- </div>+ </div> - <?php endforeach; ?>-- </div>-- </div>--<?php endif;\ No newline at end of file+ <?php+endif;
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - _core/stm-lms-templates/courses/advanced_filters/filters/price.php - Line 1
Old Code:
```php
$values = (!empty($_GET['price'])) ? $_GET['price'] : array();
```
Fixed Code:
```php
$values = ( ! empty( $_GET['price'] ) ) ? $_GET['price'] : array();
```
Explanation:
While the formatting change alone does not fix the vulnerability, the code still contains a critical input validation issue. The `$_GET['price']` array is retrieved directly without sanitization at this point. Although `sanitize_text_field()` is later applied to individual array elements in the `in_array()` check and the checkbox value output, the initial assignment of `$_GET['price']` to `$values` occurs without any validation. This could allow an attacker to pass malicious data structures. However, the subsequent use of `sanitize_text_field()` on each element mitigates the risk for the specific outputs shown.
---
Vulnerability Existed: not sure
Insufficient Input Validation in in_array() - CWE-1025 - _core/stm-lms-templates/courses/advanced_filters/filters/price.php - Line 29
Old Code:
```php
if ( in_array(sanitize_text_field($status), $values) ) echo 'checked="checked"'; ?>
```
Fixed Code:
```php
if ( in_array( sanitize_text_field( $status ), $values, true ) ) {
echo 'checked="checked"';}
```
Explanation:
The fix adds the third parameter `true` to `in_array()`, enabling strict type checking. This is a security improvement because without strict comparison, PHP's loose type comparison could lead to unexpected matches (e.g., `"0" == 0`). The original code's lack of strict checking could potentially allow unintended matches if `$values` contains unexpected data types, creating a logic vulnerability. The fix improves security by ensuring type-safe comparisons.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/courses/advanced_filters/filters/search.php 2026-01-08 00:35:20.610828131 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/courses/advanced_filters/filters/search.php 2026-01-08 00:38:01.844594779 +0000@@ -3,13 +3,13 @@ $action = ''; $filter_enabled = STM_LMS_Courses::filter_enabled(); /** get action for search if Filter disabled */-if ( false == $filter_enabled ) {+if ( false === $filter_enabled ) { $action = get_permalink( STM_LMS_Options::courses_page() ); } ?> <div class="stm_lms_courses__search"> <input data-action="<?php echo esc_attr( $action ); ?>" id='lms-search-input' type="text" name="search" value="<?php echo esc_attr( $value ); ?>" placeholder="<?php esc_attr_e( 'Search Courses', 'masterstudy-lms-learning-management-system' ); ?>"/> <button class="lms-search-btn" id="lms-search-btn">- <i class="fa fa-search"></i>+ <i class="stmlms-search-2"></i> </button> </div>
I'll analyze this code diff for security vulnerabilities.
**Vulnerability 1:**
Vulnerability Existed: no
Code Style Fix - N/A - _core/stm-lms-templates/courses/advanced_filters/filters/search.php [Line 6]
Old Code:
```php
if ( false == $filter_enabled ) {
```
Fixed Code:
```php
if ( false === $filter_enabled ) {
```
Explanation:
This is a code style improvement, not a security fix. The change from loose comparison (`==`) to strict comparison (`===`) is a best practice that prevents type coercion bugs, but this specific line does not represent a security vulnerability being fixed. This is a coding standards improvement.
---
**Vulnerability 2:**
Vulnerability Existed: no
Code Refactoring - N/A - _core/stm-lms-templates/courses/advanced_filters/filters/search.php [Line 13]
Old Code:
```php
<i class="fa fa-search"></i>
```
Fixed Code:
```php
<i class="stmlms-search-2"></i>
```
Explanation:
This is a UI/styling change replacing Font Awesome icon class with a custom icon class. This is not a security vulnerability. It's a maintenance update to change the icon library used, but does not fix any security issue. The output is still properly escaped via the surrounding HTML context.
---
**Summary:**
This diff contains no security fixes. It includes one code style improvement (strict comparison) and one UI/icon library update, neither of which addresses security vulnerabilities.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/courses/advanced_filters/filters/status.php 2026-01-08 00:35:20.610828131 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/courses/advanced_filters/filters/status.php 2026-01-08 00:38:01.848595022 +0000@@ -1,6 +1,6 @@ <?php -$values = ( ! empty( $_GET['status'] ) ) ? $_GET['status'] : array();+$values = ( ! empty( $_GET['status'] ) ) ? $_GET['status'] : array(); $is_featured_enabled = STM_LMS_Options::get_option( 'enable_featured_courses', true ); $statuses = STM_LMS_Helpers::get_course_statuses();@@ -27,7 +27,7 @@ ?> value="<?php echo esc_attr( sanitize_text_field( $_status['id'] ) ); ?>" name="status[]"/>- <span><i class="fa fa-check"></i> </span>+ <span><i class="stmlms-check-3"></i> </span> </span> <span><?php echo esc_html( $_status['label'] ); ?></span> </label>
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no XSS (Cross-Site Scripting) - CWE-79 - _core/stm-lms-templates/courses/advanced_filters/filters/status.php - Line 3 [Old Code] $values = ( ! empty( $_GET['status'] ) ) ? $_GET['status'] : array(); [Fixed Code] $values = ( ! empty( $_GET['status'] ) ) ? $_GET['status'] : array(); Explanation: The code directly assigns `$_GET['status']` to `$values` without sanitization. However, this is NOT a vulnerability fix in the diff. The diff only shows whitespace alignment changes (adding spacing before the `=` operator). The actual security issue of unsanitized `$_GET` input remains unfixed. The vulnerable code pattern still exists in both versions. --- Vulnerability Existed: no No Vulnerability - _core/stm-lms-templates/courses/advanced_filters/filters/status.php - Line 30 [Old Code] <span><i class="fa fa-check"></i> </span> [Fixed Code] <span><i class="stmlms-check-3"></i> </span> Explanation: This change replaces a Font Awesome icon class (`fa fa-check`) with a custom icon class (`stmlms-check-3`). This is purely a UI/styling change with no security implications. Both versions output HTML that is already properly escaped by the surrounding context. There is no introduction or remediation of a vulnerability here.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/courses/advanced_filters/filters/subcategory.php 2026-01-08 00:35:20.614828372 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/courses/advanced_filters/filters/subcategory.php 2026-01-08 00:38:01.848595022 +0000@@ -1,59 +1,64 @@ <?php -$values = (!empty($_GET['subcategory'])) ? $_GET['subcategory'] : array();-$parents = get_transient('stm_lms_parent_categories');+$values = ( ! empty( $_GET['subcategory'] ) ) ? $_GET['subcategory'] : array();+$parents = get_transient( 'stm_lms_parent_categories' ); -if (!empty($parents)) : ?>+if ( ! empty( $parents ) ) : ?> - <div class="stm_lms_courses__filter stm_lms_courses__subcategory" style="display: none;">+ <div class="stm_lms_courses__filter stm_lms_courses__subcategory" style="display: none;"> - <div class="stm_lms_courses__filter_heading">- <h3><?php esc_html_e('Subcategory', 'masterstudy-lms-learning-management-system'); ?></h3>- <div class="toggler"></div>- </div>+ <div class="stm_lms_courses__filter_heading">+ <h3><?php esc_html_e( 'Subcategory', 'masterstudy-lms-learning-management-system' ); ?></h3>+ <div class="toggler"></div>+ </div> - <div class="stm_lms_courses__filter_content" style="display: none;">+ <div class="stm_lms_courses__filter_content" style="display: none;"> - <?php foreach ($parents as $parent):+ <?php+ foreach ( $parents as $parent ) : - $terms = get_terms(- "stm_lms_course_taxonomy",- array(- 'orderby' => 'count',- 'order' => 'DESC',- 'child_of' => $parent- )- );+ $terms = get_terms(+ 'stm_lms_course_taxonomy',+ array(+ 'orderby' => 'count',+ 'order' => 'DESC',+ 'child_of' => $parent,+ )+ ); - ?>+ ?> - <div class="stm_lms_courses__subcategory_item stm_lms_courses__subcategory_<?php echo esc_attr($parent) ?>" style="display: none;">+ <div class="stm_lms_courses__subcategory_item stm_lms_courses__subcategory_<?php echo esc_attr( $parent ); ?>" style="display: none;"> - <h5 style="margin-top: 10px;"><?php echo esc_html(get_term($parent)->name); ?></h5>+ <h5 style="margin-top: 10px;"><?php echo esc_html( get_term( $parent )->name ); ?></h5> - <?php foreach ($terms as $term): ?>+ <?php foreach ( $terms as $term ) : ?> - <div class="stm_lms_courses__filter_category">- <label class="stm_lms_styled_checkbox">- <span class="stm_lms_styled_checkbox__inner">- <input type="checkbox"- <?php if (in_array(intval($term->term_id), $values)) echo 'checked="checked"'; ?>- value="<?php echo intval($term->term_id); ?>"- name="subcategory[]"/>- <span><i class="fa fa-check"></i> </span>- </span>- <span><?php echo esc_html($term->name . ' (' . $term->count . ')'); ?></span>- </label>- </div>+ <div class="stm_lms_courses__filter_category">+ <label class="stm_lms_styled_checkbox">+ <span class="stm_lms_styled_checkbox__inner">+ <input type="checkbox"+ <?php+ if ( in_array( intval( $term->term_id ), $values, true ) ) {+ echo 'checked="checked"';}+ ?>+ value="<?php echo intval( $term->term_id ); ?>"+ name="subcategory[]"/>+ <span><i class="stmlms-check-3"></i> </span>+ </span>+ <span><?php echo esc_html( $term->name . ' (' . $term->count . ')' ); ?></span>+ </label>+ </div> - <?php endforeach; ?>+ <?php endforeach; ?> - </div>+ </div> - <?php endforeach; ?>+ <?php endforeach; ?> - </div>+ </div> - </div>+ </div> -<?php endif;\ No newline at end of file+ <?php+endif;
# Security Analysis: subcategory.php Diff
## Vulnerability 1
**Vulnerability Existed: yes**
FALSE POSITIVE
**Improper Input Validation - CWE-20 - subcategory.php - Lines 3 and 44-45**
**Old Code:**
```php
$values = (!empty($_GET['subcategory'])) ? $_GET['subcategory'] : array();
...
<?php if (in_array(intval($term->term_id), $values)) echo 'checked="checked"'; ?>
```
**Fixed Code:**
```php
$values = ( ! empty( $_GET['subcategory'] ) ) ? $_GET['subcategory'] : array();
...
<?php
if ( in_array( intval( $term->term_id ), $values, true ) ) {
echo 'checked="checked"';}
?>
```
**Explanation:**
The vulnerability existed in the original code's use of `in_array()` without the strict type checking parameter. The original call `in_array(intval($term->term_id), $values)` uses loose comparison, which can lead to type juggling vulnerabilities. For example, the string "0" would match the integer 0. The fix adds the third parameter `true` to enforce strict comparison: `in_array(intval($term->term_id), $values, true)`. This ensures that both the type and value must match, preventing potential bypass or manipulation through type confusion. While the primary input is processed through `intval()`, the `$values` array itself comes from unsanitized `$_GET['subcategory']` and should be validated more robustly, though the strict comparison in `in_array()` does mitigate the immediate type confusion risk.
## Note on Other Changes
The remaining changes in the diff are code style and formatting improvements (whitespace, spacing, indentation alignment to WordPress coding standards, and an icon class change from `fa fa-check` to `stmlms-check-3`). These do not represent security vulnerabilities but rather code quality enhancements.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/courses/grid.php 2026-01-08 00:35:20.614828372 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/courses/grid.php 2026-01-08 00:38:01.848595022 +0000@@ -61,7 +61,7 @@ <?php esc_html_e( 'Featured Courses', 'masterstudy-lms-learning-management-system' ); ?> </h3> <a href="<?php echo esc_attr( $link ); ?>">- <i class="fas fa-arrow-right"></i>+ <i class="stmlms-arrow-right-2"></i> <span> <?php esc_html_e( 'Show all', 'masterstudy-lms-learning-management-system' ); ?> </span>@@ -134,7 +134,7 @@ <?php esc_html_e( 'No courses found.', 'masterstudy-lms-learning-management-system' ); ?> </p> <a href="<?php echo esc_attr( get_permalink( STM_LMS_Options::courses_page() ) ); ?>" class="stm_lms_courses__filter_reset">- <i class="fa fa-refresh"></i>+ <i class="stmlms-refresh-2"></i> <span><?php esc_html_e( 'Reset all', 'masterstudy-lms-learning-management-system' ); ?></span> </a> </div>
I'll analyze this code diff for security vulnerabilities. **Vulnerability Existed: no** **No Security Vulnerabilities Identified** **Explanation:** This diff shows a change in icon class names from Font Awesome (`fas fa-arrow-right` and `fa fa-refresh`) to custom icon classes (`stmlms-arrow-right-2` and `stmlms-refresh-2`). The changes involve: 1. Replacing `fas fa-arrow-right` with `stmlms-arrow-right-2` (line 64) 2. Replacing `fa fa-refresh` with `stmlms-refresh-2` (line 137) Both the old and new code properly use `esc_attr()` to escape the `href` attribute and `esc_html_e()` for text output, which are correct WordPress escaping functions. The icon class name changes do not introduce any security vulnerabilities because: - Icon class names are not user-controlled input - They are static strings hardcoded in the template - No SQL injection, XSS, or other injection vectors are present - The escaping functions used for dynamic content remain unchanged and appropriate This appears to be a routine maintenance update to migrate from Font Awesome icons to custom/internal icon classes without any security implications.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/dashboard/components/add_user.php 2026-01-08 00:35:20.626829097 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/dashboard/components/add_user.php 2026-01-08 00:38:01.876596723 +0000@@ -7,7 +7,7 @@ <a href="#" class="add_user__btn" @click.prevent="active = true" v-if="!active"> - <i class="fa fa-user-plus"></i>+ <i class="stmlms-user-plus"></i> <?php esc_html_e( 'Add student', 'masterstudy-lms-learning-management-system' ); ?> @@ -19,7 +19,7 @@ <div class="add_user_box" v-if="active"> - <i class="fa fa-envelope"></i>+ <i class="stmlms-envelope-2"></i> <h3><?php esc_html_e( 'Invite student to this course:', 'masterstudy-lms-learning-management-system' ); ?> {{title}}</h3>
```
Vulnerability Existed: no
No vulnerabilities identified in this diff.
Explanation:
This diff contains only cosmetic changes to icon class names in a PHP template file. The changes replace Font Awesome icon classes ("fa fa-user-plus" and "fa fa-envelope") with custom icon classes ("stmlms-user-plus" and "stmlms-envelope-2").
These are purely presentational modifications with no security implications:
- No changes to user input handling
- No changes to output escaping or sanitization
- No changes to authentication, authorization, or access controls
- No changes to data processing or storage
- The existing security measures (esc_html_e() for text output) remain unchanged
- Icon class names themselves cannot introduce vulnerabilities as they only affect CSS styling
This appears to be a routine UI update to use a custom icon library instead of Font Awesome.
```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/dashboard/components/course.php 2026-01-08 00:35:20.630829338 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/dashboard/components/course.php 2026-01-08 00:38:01.884597209 +0000@@ -19,7 +19,7 @@ <div class="searchboxes"> <add_user :course_id="id" v-on:studentAdded="studentAdded" :title="origin_title"></add_user> <div class="searchbox-wrapper">- <i class="fa fa-search"></i>+ <i class="stmlms-search-2"></i> <input type="text" v-model="search" placeholder="<?php esc_attr_e( 'Search student...', 'masterstudy-lms-learning-management-system' ); ?>"> </div>@@ -35,32 +35,32 @@ <th class="name"> <div class="sort-table" @click="sortBy('name')" v-bind:class="[sort === 'name' ? 'active' : '', 'direction_' + sortDirection]">- <i class="fa fa-long-arrow-alt-up"></i>- <i class="fa fa-long-arrow-alt-down"></i>+ <i class="stmlms-long-arrow-alt-up"></i>+ <i class="stmlms-long-arrow-alt-down"></i> <?php esc_html_e( 'Student name', 'masterstudy-lms-learning-management-system' ); ?> </div> </th> <th class="email"> <div class="sort-table" @click="sortBy('email')" v-bind:class="[sort === 'email' ? 'active' : '', 'direction_' + sortDirection]">- <i class="fa fa-long-arrow-alt-up"></i>- <i class="fa fa-long-arrow-alt-down"></i>+ <i class="stmlms-long-arrow-alt-up"></i>+ <i class="stmlms-long-arrow-alt-down"></i> <?php esc_html_e( 'Student email', 'masterstudy-lms-learning-management-system' ); ?> </div> </th> <th class="time"> <div class="sort-table" @click="sortBy('time')" v-bind:class="[sort === 'time' ? 'active' : '', 'direction_' + sortDirection]">- <i class="fa fa-long-arrow-alt-up"></i>- <i class="fa fa-long-arrow-alt-down"></i>+ <i class="stmlms-long-arrow-alt-up"></i>+ <i class="stmlms-long-arrow-alt-down"></i> <?php esc_html_e( 'Started', 'masterstudy-lms-learning-management-system' ); ?> </div> </th> <th class="progress_cell"> <div class="sort-table" @click="sortBy('progress')" v-bind:class="[sort === 'progress' ? 'active' : '', 'direction_' + sortDirection]">- <i class="fa fa-long-arrow-alt-up"></i>- <i class="fa fa-long-arrow-alt-down"></i>+ <i class="stmlms-long-arrow-alt-up"></i>+ <i class="stmlms-long-arrow-alt-down"></i> <?php esc_html_e( 'Progress', 'masterstudy-lms-learning-management-system' ); ?> </div> </th>@@ -112,7 +112,7 @@ <td class="student_progress"> <div class="goToProgress" @click="toUser(id, list.user_id)" v-if="list.user_id">- <i class="fa fa-list"></i>+ <i class="stmlms-list-2"></i> <?php esc_html_e( 'Progress', 'masterstudy-lms-learning-management-system' ); ?> </div> </td>
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no No Security Vulnerabilities Detected - File: _core/stm-lms-templates/dashboard/components/course.php [Lines 22, 38-39, 47-48, 56-57, 65-66, 115] Old Code: ```html <i class="fa fa-search"></i> <i class="fa fa-long-arrow-alt-up"></i> <i class="fa fa-long-arrow-alt-down"></i> <i class="fa fa-list"></i> ``` Fixed Code: ```html <i class="stmlms-search-2"></i> <i class="stmlms-long-arrow-alt-up"></i> <i class="stmlms-long-arrow-alt-down"></i> <i class="stmlms-list-2"></i> ``` Explanation: This diff represents a cosmetic change replacing Font Awesome icon class names (fa fa-*) with custom icon class names (stmlms-*). This is a UI/styling update with no security implications. The changes: - Do not modify any executable code paths - Do not affect input validation or output escaping - Do not introduce new attack vectors - Do not affect access control or authentication - Are purely presentational CSS class name updates The existing code properly uses `esc_attr_e()` and `esc_html_e()` functions for output escaping, which remain unchanged and continue to protect against XSS vulnerabilities. This is a safe, non-security-related update.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/dashboard/components/course_user.php 2026-01-08 00:35:20.630829338 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/dashboard/components/course_user.php 2026-01-08 00:38:01.884597209 +0000@@ -46,7 +46,7 @@ <div class="section_item__toggle" v-if="item.type==='assignment' || item.type==='quiz'" @click="openAssignments(item)">- <i class="fa fa-chevron-down"></i>+ <i class="stmlms-chevron-down-2"></i> </div> </h4> <div class="section_item__completed">
I'll analyze this code diff for security vulnerabilities. **Analysis:** Vulnerability Existed: **no** **Explanation:** This diff shows a change from using a Font Awesome icon class (`fa fa-chevron-down`) to a custom icon class (`stmlms-chevron-down-2`). This is a purely cosmetic/UI change with no security implications. The change involves: - **Old Code:** `<i class="fa fa-chevron-down"></i>` - **Fixed Code:** `<i class="stmlms-chevron-down-2"></i>` This is simply replacing one CSS icon class with another. There are no: - Input validation issues - Output encoding vulnerabilities - Authentication/authorization problems - Information disclosure risks - Code injection vectors - CSRF or XSS concerns **Conclusion:** No security vulnerability exists in this diff. This is a UI/styling update, not a security fix.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/dashboard/components/navigation.php 2026-01-08 00:35:20.638829821 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/dashboard/components/navigation.php 2026-01-08 00:38:01.892597695 +0000@@ -1,28 +1,28 @@ <transition name="slide"> - <div class="stm-lms-dashboard-navigation">- <div class="stm-lms-dashboard-navigation--inner">- <a href="<?php echo esc_url(get_dashboard_url()); ?>" class="back_to_site">- <i class="fa fa-arrow-left"></i>- <?php esc_html_e('Back to Site', 'masterstudy-lms-learning-management-system'); ?>- </a>-- <div class="stm-lms-dashboard-navigation--links">-- <router-link to="/courses">- <i class="fa fa-book-open"></i>- <?php esc_html_e('Courses', 'masterstudy-lms-learning-management-system'); ?>- </router-link>-- <a href="">- <i class="fa fa-users"></i>- <?php esc_html_e('Students', 'masterstudy-lms-learning-management-system'); ?>- <span><?php esc_html_e('Soon', 'masterstudy-lms-learning-management-system'); ?></span>- </a>+ <div class="stm-lms-dashboard-navigation">+ <div class="stm-lms-dashboard-navigation--inner">+ <a href="<?php echo esc_url( get_dashboard_url() ); ?>" class="back_to_site">+ <i class="stmlms-arrow-left-2"></i>+ <?php esc_html_e( 'Back to Site', 'masterstudy-lms-learning-management-system' ); ?>+ </a>++ <div class="stm-lms-dashboard-navigation--links">++ <router-link to="/courses">+ <i class="stmlms-book-2-open"></i>+ <?php esc_html_e( 'Courses', 'masterstudy-lms-learning-management-system' ); ?>+ </router-link>++ <a href="">+ <i class="stmlms-user-2"></i>+ <?php esc_html_e( 'Students', 'masterstudy-lms-learning-management-system' ); ?>+ <span><?php esc_html_e( 'Soon', 'masterstudy-lms-learning-management-system' ); ?></span>+ </a> - </div>+ </div> - </div>- </div>+ </div>+ </div> -</transition>\ No newline at end of file+</transition>
Vulnerability Existed: no No vulnerabilities detected in this diff. Explanation: This diff represents a formatting and icon library refactor with no security implications: 1. **Indentation changes**: Converting spaces to tabs for code formatting consistency 2. **PHP function call spacing**: Adding spaces around function parameters (e.g., `get_dashboard_url()` → `get_dashboard_url( )`) which is a code style improvement 3. **Icon class updates**: Replacing Font Awesome icon classes (`fa fa-arrow-left`, `fa fa-book-open`, `fa fa-users`) with custom icon classes (`stmlms-arrow-left-2`, `stmlms-book-2-open`, `stmlms-user-2`) All security-critical functions remain intact: - `esc_url()` is still properly used to escape the URL output - `esc_html_e()` is still properly used to escape and localize text strings - No new user input sources are introduced - No authentication or authorization logic is modified - No sensitive data handling is changed The changes are purely stylistic and do not introduce, fix, or affect any security vulnerabilities.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/dashboard/components/student_assignments.php 2026-01-08 00:35:20.638829821 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/dashboard/components/student_assignments.php 2026-01-08 00:38:01.892597695 +0000@@ -1,51 +1,51 @@ <transition name="slide"> - <div class="dashboard-student-assignments">+ <div class="dashboard-student-assignments"> - <div class="loading" v-if="loading"></div>+ <div class="loading" v-if="loading"></div> - <div class="dashboard-student-assignments--table" v-else>+ <div class="dashboard-student-assignments--table" v-else> - <div v-if="assignments.length">+ <div v-if="assignments.length"> - <div v-for="(assignment, assignment_key) in assignments" class="assingment-single">+ <div v-for="(assignment, assignment_key) in assignments" class="assingment-single"> - <div class="content">- <h5><?php esc_html_e('Student attempt', 'masterstudy-lms-learning-management-system'); ?> #{{assignment_key + 1}}</h5>- <div class="content" v-html="assignment.content" v-if="assignment.content"></div>- <div class="content" v-else>---</div>- </div>+ <div class="content">+ <h5><?php esc_html_e( 'Student attempt', 'masterstudy-lms-learning-management-system' ); ?> #{{assignment_key + 1}}</h5>+ <div class="content" v-html="assignment.content" v-if="assignment.content"></div>+ <div class="content" v-else>---</div>+ </div> - <div class="status">- <div class="status" v-bind:class="assignment.meta.status">- <i class="fa fa-check" v-if="assignment.meta.status==='passed'"></i>- <i class="fa fa-times" v-else></i>- </div>- </div>+ <div class="status">+ <div class="status" v-bind:class="assignment.meta.status">+ <i class="stmlms-check-3" v-if="assignment.meta.status==='passed'"></i>+ <i class="stmlms-times" v-else></i>+ </div>+ </div> - <div class="comment">- <h5><?php esc_html_e('Instructor answer', 'masterstudy-lms-learning-management-system'); ?></h5>- <div class="content">- <div class="author">- <div class="img" v-html="instructor_data.avatar"></div>- <div class="author__info">- <span v-html="instructor_data.meta.position" v-if="instructor_data.meta.position"></span>- <h5 v-html="instructor_data.login"></h5>- </div>- </div>- <div v-html="assignment.meta.editor_comment" v-if="assignment.meta.editor_comment" class="inside_content"></div>- <div class="content" v-else>---</div>- </div>- </div>+ <div class="comment">+ <h5><?php esc_html_e( 'Instructor answer', 'masterstudy-lms-learning-management-system' ); ?></h5>+ <div class="content">+ <div class="author">+ <div class="img" v-html="instructor_data.avatar"></div>+ <div class="author__info">+ <span v-html="instructor_data.meta.position" v-if="instructor_data.meta.position"></span>+ <h5 v-html="instructor_data.login"></h5>+ </div>+ </div>+ <div v-html="assignment.meta.editor_comment" v-if="assignment.meta.editor_comment" class="inside_content"></div>+ <div class="content" v-else>---</div>+ </div>+ </div> - </div>- </div>+ </div>+ </div> - <h4 v-else><?php esc_html_e('No assignments yet...', 'masterstudy-lms-learning-management-system'); ?></h4>+ <h4 v-else><?php esc_html_e( 'No assignments yet...', 'masterstudy-lms-learning-management-system' ); ?></h4> - </div>+ </div> - </div>+ </div> -</transition>\ No newline at end of file+</transition>
Analyzing the provided diff for security vulnerabilities:
Vulnerability Existed: no
Explanation:
This diff contains only formatting and code style changes with no security implications:
1. **Indentation Changes**: Lines 3-50 show conversion from spaces to tabs for indentation. This is purely a formatting change with no security impact.
2. **PHP Function Formatting**: The `esc_html_e()` function calls have been reformatted with spaces around parameters (e.g., `esc_html_e( 'text', 'domain' )` instead of `esc_html_e('text', 'domain')`). This is a code style adjustment with no security impact, and the function remains properly used for escaping output.
3. **Icon Class Updates**: Lines 24-25 replace Font Awesome icon classes (`fa fa-check`, `fa fa-times`) with custom theme classes (`stmlms-check-3`, `stmlms-times`). This is a UI/styling change with no security implications.
4. **No Logic Changes**: The template logic, Vue.js directives (`v-if`, `v-for`, `v-html`, `v-bind`), and PHP escaping functions remain functionally identical and secure.
All `v-html` directives are bound to server-side data that is properly escaped before output, and the `esc_html_e()` functions continue to properly escape user-facing text.
**Conclusion**: No security vulnerabilities were introduced or fixed in this diff. The changes are purely cosmetic and formatting-related.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/dashboard/components/student_quiz.php 2026-01-08 00:35:20.638829821 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/dashboard/components/student_quiz.php 2026-01-08 00:38:01.896597938 +0000@@ -1,41 +1,41 @@ <transition name="slide"> - <div class="dashboard-student-assignments">+ <div class="dashboard-student-assignments"> - <div class="loading" v-if="loading"></div>+ <div class="loading" v-if="loading"></div> - <div class="dashboard-student-assignments--table" v-else>+ <div class="dashboard-student-assignments--table" v-else> - <div v-if="quizzes.length">+ <div v-if="quizzes.length"> - <div v-for="(quiz, quiz_key) in quizzes" class="quiz-single" v-bind:class="{'passed' : quiz.status}">- <div class="quiz-single_title">- <?php esc_html_e('Attempt #', 'masterstudy-lms-learning-management-system') ?> {{quiz_key + 1}}- </div>- <div class="quiz-single_progress">- <div class="progress-wrapper">- <div class="progress">- <div class="progress-bar progress-bar-success"- v-bind:class="{'active progress-bar-striped' : quiz.status !== 'passed'}"- v-bind:style="{'width': quiz.progress + '%'}"></div>- </div>- <div class="progress-label">{{quiz.progress}}%</div>- </div>- </div>- <div class="quiz-single_toggle" @click="openQuiz(quiz, quiz_key + 1)">- <span><?php esc_html_e('Show student answers', 'masterstudy-lms-learning-management-system'); ?></span>- <i class="fa fa-chevron-down"></i>- </div>+ <div v-for="(quiz, quiz_key) in quizzes" class="quiz-single" v-bind:class="{'passed' : quiz.status}">+ <div class="quiz-single_title">+ <?php esc_html_e( 'Attempt #', 'masterstudy-lms-learning-management-system' ); ?> {{quiz_key + 1}}+ </div>+ <div class="quiz-single_progress">+ <div class="progress-wrapper">+ <div class="progress">+ <div class="progress-bar progress-bar-success"+ v-bind:class="{'active progress-bar-striped' : quiz.status !== 'passed'}"+ v-bind:style="{'width': quiz.progress + '%'}"></div>+ </div>+ <div class="progress-label">{{quiz.progress}}%</div>+ </div>+ </div>+ <div class="quiz-single_toggle" @click="openQuiz(quiz, quiz_key + 1)">+ <span><?php esc_html_e( 'Show student answers', 'masterstudy-lms-learning-management-system' ); ?></span>+ <i class="stmlms-chevron-down-2"></i>+ </div> - <?php STM_LMS_Templates::show_lms_template('dashboard/parts/single_quiz'); ?>+ <?php STM_LMS_Templates::show_lms_template( 'dashboard/parts/single_quiz' ); ?> - </div>- </div>+ </div>+ </div> - <h4 v-else><?php esc_html_e('No quizzes yet...', 'masterstudy-lms-learning-management-system'); ?></h4>+ <h4 v-else><?php esc_html_e( 'No quizzes yet...', 'masterstudy-lms-learning-management-system' ); ?></h4> - </div>+ </div> - </div>+ </div> -</transition>\ No newline at end of file+</transition>
I'll analyze this code diff for security vulnerabilities.
**Analysis Result:**
Vulnerability Existed: no
**Explanation:**
This diff contains only formatting and code style changes with no security implications:
1. **Indentation Changes**: The primary change is converting spaces to tabs for indentation consistency throughout the file. This is a pure formatting change with no security impact.
2. **Function Call Spacing**: Minor adjustments to spacing in PHP function calls:
- `esc_html_e('Attempt #', ...)` → `esc_html_e( 'Attempt #', ... )` (spacing added around parameters)
- `show_lms_template('dashboard/parts/single_quiz')` → `show_lms_template( 'dashboard/parts/single_quiz' )` (spacing added)
These follow WordPress coding standards but have no security impact.
3. **Icon Class Change**: One functional change:
- `<i class="fa fa-chevron-down"></i>` → `<i class="stmlms-chevron-down-2"></i>`
This is a CSS class replacement for icon display and has no security implications.
**Conclusion:**
This diff represents a code style/formatting update to conform to WordPress coding standards. The existing security measures (use of `esc_html_e()` for output escaping, Vue.js template syntax, and the `show_lms_template()` function) remain unchanged. No vulnerabilities were introduced or fixed by these changes.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/dashboard/components/user_data_transfer.php 2026-01-08 00:35:20.638829821 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/dashboard/components/user_data_transfer.php 2026-01-08 00:38:01.896597938 +0000@@ -2,13 +2,13 @@ <div class="user-data-transfer"> <div class="user-data-transfer__action"> <a href="#" class="user-data-transfer__btn user-data-transfer__btn-import" @click.prevent="modalVisible=true">- <i class="fa fa-upload"></i>+ <i class="stmlms-upload-2"></i> <span> <?php esc_html_e( 'Import CSV', 'masterstudy-lms-learning-management-system' ); ?> </span> </a> <a href="#" class="user-data-transfer__btn user-data-transfer__btn-export" @click.prevent="exportUsers">- <i class="fa fa-download"></i>+ <i class="stmlms-download-2"></i> <span> <?php esc_html_e( 'Export CSV', 'masterstudy-lms-learning-management-system' ); ?> </span>@@ -21,7 +21,7 @@ <span class="user-data-transfer__modal-title"> <span v-if="importStep<3"><?php esc_html_e( 'Import students from CSV', 'masterstudy-lms-learning-management-system' ); ?></span> <span v-if="importStep==4"><?php esc_html_e( 'Import partially complete', 'masterstudy-lms-learning-management-system' ); ?></span>- </span> + </span> <span class="user-data-transfer__modal-close" @click="closeImportModal()"></span> </div> <div class="user-data-transfer__modal-text" v-if="importStep<3 || importStep==4">@@ -34,7 +34,7 @@ </div> <div class="user-data-transfer__modal-download" v-if="importStep<2"> <a href="<?php echo esc_url( STM_LMS_URL . 'assets/samples/import_users.csv' ); // phpcs:ignore WordPress.WP.EnqueuedResources.NonEnqueuedStylesheet ?>" class="user-data-transfer__btn user-data-transfer__btn-download" download>- <i class="fa fa-download"></i>+ <i class="stmlms-download-2"></i> <span> <?php esc_html_e( 'Download a CSV file template', 'masterstudy-lms-learning-management-system' ); ?> </span>@@ -42,7 +42,7 @@ </div> <div class="user-data-transfer__info" v-if="importStep==4"> <span class="user-data-transfer__warning">- <i class="fas fa-exclamation-triangle"></i>+ <i class="stmlms-exclamation-triangle"></i> <?php esc_html_e( 'The users below were not imported as they had already been enrolled in this course.', 'masterstudy-lms-learning-management-system' ); ?> </span> <div class="user-data-transfer__list">@@ -52,16 +52,16 @@ </div> </div> <div class="user-data-transfer-file-upload" v-if="importStep==0" ref="uploadFileDropArea">- <div class="user-data-transfer-file-upload__item-wrapper"></div> + <div class="user-data-transfer-file-upload__item-wrapper"></div> <div class="user-data-transfer-file-upload__field"> <span class="user-data-transfer-file-upload__field-button" @click.prevent="uploadImportFile()"> <?php esc_html_e( 'Upload CSV', 'masterstudy-lms-learning-management-system' ); ?>- </span> + </span> <div class="user-data-transfer-file-upload__field-text"> <p><?php esc_html_e( 'Drag file here or click the button.', 'masterstudy-lms-learning-management-system' ); ?></p>- </div> + </div> <div :class="{ 'user-data-transfer-file-upload__field-error': true, 'is-visible': fileTypeError || emptyCsvFile }">- <i class="fas fa-exclamation-triangle"></i>+ <i class="stmlms-exclamation-triangle"></i> <span v-if="fileTypeError"> <?php esc_html_e( 'Unsupported file type.', 'masterstudy-lms-learning-management-system' ); ?> </span>@@ -73,7 +73,7 @@ <?php esc_html_e( 'Try again', 'masterstudy-lms-learning-management-system' ); ?> </span> </a>- </div> + </div> <input ref="importFileInput" type="file" class="user-data-transfer-file-upload__input" accept=".csv"> </div> </div>@@ -96,7 +96,7 @@ </div> <div class="user-data-transfer-progress__title"> <span>- <?php esc_html_e( 'Importing', 'masterstudy-lms-learning-management-system' ); ?> + <?php esc_html_e( 'Importing', 'masterstudy-lms-learning-management-system' ); ?> {{userDataFileName}}: </span> <span class="user-data-transfer-progress__percent">{{importProgress}}%</span>
I'll analyze this code diff for security vulnerabilities. **Vulnerability Existed: no** This diff contains only cosmetic and icon library changes with no security implications: 1. **Font icon class replacements** (lines 5, 11, 37, 45, 63): - Changed from Font Awesome classes (`fa fa-upload`, `fa fa-download`, `fas fa-exclamation-triangle`) to custom icon classes (`stmlms-upload-2`, `stmlms-download-2`, `stmlms-exclamation-triangle`) - This is purely a UI/styling change with no security impact 2. **Whitespace cleanup** (lines 24, 55, 58, 60, 76, 99): - Removed trailing whitespace from HTML elements - No security implications **Analysis Summary:** This is a maintenance update that: - Updates the icon library/classes (cosmetic change) - Cleans up trailing whitespace (code style) - Makes no changes to PHP output escaping or security-related functions - Does not modify any data handling, validation, or authorization logic All PHP security functions remain intact: - `esc_html_e()` still properly escapes translatable strings (line 7, etc.) - `esc_url()` still properly escapes URLs (line 36) - No new user input vectors introduced - No changes to file upload handling logic **Conclusion: No vulnerabilities introduced or fixed in this diff.**
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/category.php 2026-01-08 00:35:20.730835376 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/category.php 2026-01-08 00:38:02.040606687 +0000@@ -12,8 +12,8 @@ <div class="ms_lms_courses_archive__filter_options_item_category"> <label class="ms_lms_courses_archive__filter_options_item_checkbox"> <span class="ms_lms_courses_archive__filter_options_item_checkbox_inner">- <input type="checkbox" value="<?php echo intval( $term->term_id ); ?>" <?php checked( in_array( $term->term_id, $terms ) ); ?> name="category[]"/>- <span><i class="fa fa-check"></i></span>+ <input type="checkbox" value="<?php echo intval( $term->term_id ); ?>" <?php checked( in_array( $term->term_id, $terms, true ) ); ?> name="category[]"/>+ <span><i class="stmlms-check-3"></i></span> </span> <span class="ms_lms_courses_archive__filter_options_item_checkbox_label"><?php echo esc_html( $term->name ); ?></span> </label>
Vulnerability Existed: no Type Comparison - CWE-1025 - _core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/category.php - Line 15 Old Code: ```php <?php checked( in_array( $term->term_id, $terms ) ); ?> ``` Fixed Code: ```php <?php checked( in_array( $term->term_id, $terms, true ) ); ?> ``` Explanation: The fix adds the third parameter `true` to the `in_array()` function, enabling strict type checking. While this is a best practice improvement, it's not fixing an actual vulnerability in this context. The `$term->term_id` is consistently an integer (from WordPress term objects), and `$terms` should contain term IDs as integers, so loose comparison would work correctly. However, adding strict type checking (`true`) is a defensive programming practice that prevents potential type juggling issues if `$terms` ever contained unexpected data types. This is a hardening improvement rather than a security fix for an existing vulnerability. --- Additional Note: The second change (icon class from `fa fa-check` to `stmlms-check-3`) is a UI/styling update with no security implications.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/instructors.php 2026-01-08 00:35:20.730835376 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/instructors.php 2026-01-08 00:38:02.044606930 +0000@@ -1,6 +1,6 @@ <?php $metas['instructor'] = isset( $metas['instructor'] ) ? $metas['instructor'] : array();-$limit = 2;+$limit = 2; ?> <div class="ms_lms_courses_archive__filter_options_item"> <div class="ms_lms_courses_archive__filter_options_item_title">@@ -14,8 +14,8 @@ <div class="ms_lms_courses_archive__filter_options_item_category <?php echo esc_attr( ( $index > $limit ) ? 'hide_instructor' : '' ); ?>"> <label class="ms_lms_courses_archive__filter_options_item_checkbox"> <span class="ms_lms_courses_archive__filter_options_item_checkbox_inner">- <input type="checkbox" value="<?php echo intval( $instructor->ID ); ?>" <?php checked( in_array( $instructor->ID, $metas['instructor'] ) ); ?> name="instructor[]"/>- <span><i class="fa fa-check"></i></span>+ <input type="checkbox" value="<?php echo intval( $instructor->ID ); ?>" <?php checked( in_array( $instructor->ID, $metas['instructor'], true ) ); ?> name="instructor[]"/>+ <span><i class="stmlms-check-3"></i></span> </span> <span class="ms_lms_courses_archive__filter_options_item_checkbox_label"><?php echo esc_html( $instructor->display_name ); ?></span> </label>
# Security Analysis - Code Diff Review Based on the provided diff, here is the security analysis: --- **Vulnerability 1:** Vulnerability Existed: yes FALSE POSITIVE **Type Juggling / Loose Comparison - CWE-1025** - instructors.php Lines 17 Old Code: ```php <?php checked( in_array( $instructor->ID, $metas['instructor'] ) ); ?> ``` Fixed Code: ```php <?php checked( in_array( $instructor->ID, $metas['instructor'], true ) ); ?> ``` Explanation: The `in_array()` function without the strict parameter (third argument set to `true`) performs loose comparison by default. This can lead to type juggling vulnerabilities where values that are not strictly equal may be considered equal (e.g., `"0"` == `0` == `false`). An instructor ID of `0` or a string representation of a number could match unintended array values due to type coercion. The fix adds `true` as the third parameter to enforce strict type checking, ensuring only values that are both equal in value AND type are matched. This prevents potential security issues where incorrect instructor selections could occur due to type juggling. --- **Additional Observations:** - Line 3: Change from `$limit = 2;` to `$limit = 2;` is a formatting/whitespace change with no security impact. - Line 18: Change from `fa fa-check` icon class to `stmlms-check-3` is a UI/styling change with no security impact.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/level.php 2026-01-08 00:35:20.734835617 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/level.php 2026-01-08 00:38:02.048607173 +0000@@ -11,8 +11,8 @@ <div class="ms_lms_courses_archive__filter_options_item_category"> <label class="ms_lms_courses_archive__filter_options_item_checkbox"> <span class="ms_lms_courses_archive__filter_options_item_checkbox_inner">- <input type="checkbox" value="<?php echo esc_html( $levels ); ?>" <?php checked( in_array( $levels, $metas['level'] ) ); ?> name="level[]"/>- <span><i class="fa fa-check"></i></span>+ <input type="checkbox" value="<?php echo esc_html( $levels ); ?>" <?php checked( in_array( $levels, $metas['level'], true ) ); ?> name="level[]"/>+ <span><i class="stmlms-check-3"></i></span> </span> <span class="ms_lms_courses_archive__filter_options_item_checkbox_label"><?php echo esc_html( $levels_label ); ?></span> </label>
Vulnerability Existed: yes TRUE POSITIVE Strict Type Checking in Array Search - CWE-1025 - level.php - Line 14 Old Code: ```php <?php checked( in_array( $levels, $metas['level'] ) ); ?> ``` Fixed Code: ```php <?php checked( in_array( $levels, $metas['level'], true ) ); ?> ``` Explanation: The original code uses `in_array()` without the strict parameter (third argument defaults to `false`), which performs loose type comparison. This can lead to unexpected behavior where values like `"0"` (string) would match `0` (integer) or `"1"` would match `true`. This is a type juggling vulnerability. The fix adds `true` as the third parameter, enabling strict type checking (`===` instead of `==`), which ensures that only exact matches are found. This prevents potential security issues related to type confusion and unintended logic bypasses in the filter comparison.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/price.php 2026-01-08 00:35:20.734835617 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/price.php 2026-01-08 00:38:02.052607416 +0000@@ -11,8 +11,8 @@ <div class="ms_lms_courses_archive__filter_options_item_category"> <label class="ms_lms_courses_archive__filter_options_item_checkbox"> <span class="ms_lms_courses_archive__filter_options_item_checkbox_inner">- <input type="checkbox" value="<?php echo esc_html( $price ); ?>" <?php checked( in_array( $price, $metas['price'] ) ); ?> name="price[]"/>- <span><i class="fa fa-check"></i></span>+ <input type="checkbox" value="<?php echo esc_html( $price ); ?>" <?php checked( in_array( $price, $metas['price'], true ) ); ?> name="price[]"/>+ <span><i class="stmlms-check-3"></i></span> </span> <span class="ms_lms_courses_archive__filter_options_item_checkbox_label"><?php echo esc_html( $price_label ); ?></span> </label>
Vulnerability Existed: yes FALSE POSITIVE Strict Type Checking - CWE-1025 - _core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/price.php (Line 14) Old Code: ```php <?php checked( in_array( $price, $metas['price'] ) ); ?> ``` Fixed Code: ```php <?php checked( in_array( $price, $metas['price'], true ) ); ?> ``` Explanation: The vulnerability exists because `in_array()` without the third parameter (strict mode) performs loose type comparison. This can lead to type juggling vulnerabilities where values like "0", 0, false, or empty strings may match unintended array values. For example, if `$price` is "0" (string), it could match `false` or 0 (integer) in the array, causing incorrect checkbox selection. The fix adds `true` as the third parameter to enforce strict type checking, ensuring only exact type and value matches are found. This prevents unintended type coercion vulnerabilities in user-facing filtering logic. --- Vulnerability Existed: no Icon Class Change - No Security Vulnerability - _core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/price.php (Line 15) Old Code: ```php <i class="fa fa-check"></i> ``` Fixed Code: ```php <i class="stmlms-check-3"></i> ``` Explanation: This change replaces a Font Awesome icon class with a custom icon class. This is not a security vulnerability—it is a UI/styling change to use a different icon library or custom icon set. No security implications exist for icon class changes.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/status.php 2026-01-08 00:35:20.734835617 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/status.php 2026-01-08 00:38:02.060607902 +0000@@ -11,8 +11,8 @@ <div class="ms_lms_courses_archive__filter_options_item_category"> <label class="ms_lms_courses_archive__filter_options_item_checkbox"> <span class="ms_lms_courses_archive__filter_options_item_checkbox_inner">- <input type="checkbox" value="<?php echo esc_html( $status ); ?>" <?php checked( in_array( $status, $metas['status'] ) ); ?> name="status[]"/>- <span><i class="fa fa-check"></i></span>+ <input type="checkbox" value="<?php echo esc_html( $status ); ?>" <?php checked( in_array( $status, $metas['status'], true ) ); ?> name="status[]"/>+ <span><i class="stmlms-check-3"></i></span> </span> <span class="ms_lms_courses_archive__filter_options_item_checkbox_label"><?php echo esc_html( $status_label ); ?></span> </label>
Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - _core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/status.php (Line 14) Old Code: ```php <input type="checkbox" value="<?php echo esc_html( $status ); ?>" <?php checked( in_array( $status, $metas['status'] ) ); ?> name="status[]"/> ``` Fixed Code: ```php <input type="checkbox" value="<?php echo esc_html( $status ); ?>" <?php checked( in_array( $status, $metas['status'], true ) ); ?> name="status[]"/> ``` Explanation: The vulnerability exists in the `in_array()` function call without the strict type-checking parameter. When `in_array()` is called without the third parameter set to `true`, it performs loose comparison, which can lead to type juggling vulnerabilities. For example, if `$status` is a numeric string like "0" or "1", it could match non-string values in the `$metas['status']` array due to PHP's loose comparison rules. While the XSS risk is primarily mitigated by `esc_html()` on the value attribute, the loose comparison in `in_array()` could allow unintended values to be selected, potentially leading to security issues depending on how the status values are used downstream. The fix adds `true` as the third parameter to enforce strict type checking (`===` instead of `==`), ensuring that only exact matches are considered.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/subcategory.php 2026-01-08 00:35:20.734835617 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/elementor-widgets/courses/courses-archive/filter/options/subcategory.php 2026-01-08 00:38:02.068608388 +0000@@ -18,7 +18,7 @@ <label class="ms_lms_courses_archive__filter_options_item_checkbox"> <span class="ms_lms_courses_archive__filter_options_item_checkbox_inner"> <input type="checkbox" value="<?php echo intval( $item->term_id ); ?>" <?php checked( in_array( $item->term_id, $selected_subcategories, true ) ); ?> name="subcategory[]"/>- <span><i class="fa fa-check"></i></span>+ <span><i class="stmlms-check-3"></i></span> </span> <span class="ms_lms_courses_archive__filter_options_item_checkbox_label"><?php echo esc_html( $item->name ); ?></span> </label>
Vulnerability Existed: no [No Vulnerability Identified] Old Code: ``` <span><i class="fa fa-check"></i></span> ``` Fixed Code: ``` <span><i class="stmlms-check-3"></i></span> ``` Explanation: This change replaces a Font Awesome icon class reference (`fa fa-check`) with a custom icon class (`stmlms-check-3`). This is a cosmetic UI update with no security implications. The change does not involve: - User input handling or sanitization - Data processing or validation - Authentication or authorization logic - External resource loading from untrusted sources - Any code execution or dynamic behavior modification This is purely a frontend icon class name change and presents no security vulnerability.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/elementor-widgets/instructors-carousel/instructor/socials-inside.php 2026-01-08 00:35:20.770837791 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/elementor-widgets/instructors-carousel/instructor/socials-inside.php 2026-01-08 00:38:02.124611791 +0000@@ -1,22 +1,22 @@ <div class="ms_lms_instructors_carousel__item_socials <?php echo ( ! empty( $socials_presets ) ) ? esc_attr( $socials_presets ) : 'style_1'; ?>"> <?php if ( ! empty( $user['meta']['facebook'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['facebook'] ); ?>" class="ms_lms_instructors_carousel__item_socials_link">- <i class="fab fa-facebook-f"></i>+ <i class="stmlms-facebook-f"></i> </a> <?php } ?> <?php if ( ! empty( $user['meta']['instagram'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['instagram'] ); ?>" class="ms_lms_instructors_carousel__item_socials_link">- <i class="fab fa-instagram"></i>+ <i class="stmlms-instagram"></i> </a> <?php } ?> <?php if ( ! empty( $user['meta']['twitter'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['twitter'] ); ?>" class="ms_lms_instructors_carousel__item_socials_link">- <i class="fab fa-twitter"></i>+ <i class="stmlms-twitter-2"></i> </a> <?php } ?> <?php if ( ! empty( $user['meta']['linkedin'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['linkedin'] ); ?>" class="ms_lms_instructors_carousel__item_socials_link">- <i class="fab fa-linkedin"></i>+ <i class="stmlms-linkedin-2"></i> </a> <?php } ?> </div>
Vulnerability Existed: no No Vulnerabilities Detected - Non-Security Change Explanation: This diff represents a styling/branding update, not a security fix. The changes replace Font Awesome icon classes (`fab fa-*`) with custom icon classes (`stmlms-*`). This is a purely presentational modification to the CSS class names used for rendering social media icons in the instructor carousel template. The code maintains proper security practices throughout: - URL output continues to use `esc_url()` for Facebook, Instagram, Twitter, and LinkedIn links - No sensitive data exposure - No input validation changes - No authentication or authorization modifications - No injection vulnerabilities introduced or fixed This is a cosmetic update to use the theme's custom icon font instead of an external Font Awesome library, with no security implications.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/elementor-widgets/instructors-carousel/instructor/socials.php 2026-01-08 00:35:20.774838032 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/elementor-widgets/instructors-carousel/instructor/socials.php 2026-01-08 00:38:02.124611791 +0000@@ -1,22 +1,22 @@ <div class="ms_lms_instructors_carousel__item_socials <?php echo ( ! empty( $socials_presets ) ) ? esc_attr( $socials_presets ) : 'style_1'; ?>"> <?php if ( ! empty( $user['meta']['facebook'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['facebook'] ); ?>" class="ms_lms_instructors_carousel__item_socials_link">- <i class="fab fa-facebook-f"></i>+ <i class="stmlms-facebook-f"></i> </a> <?php } ?> <?php if ( ! empty( $user['meta']['instagram'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['instagram'] ); ?>" class="ms_lms_instructors_carousel__item_socials_link">- <i class="fab fa-instagram"></i>+ <i class="stmlms-instagram"></i> </a> <?php } ?> <?php if ( ! empty( $user['meta']['twitter'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['twitter'] ); ?>" class="ms_lms_instructors_carousel__item_socials_link">- <i class="fab fa-twitter"></i>+ <i class="stmlms-twitter-2"></i> </a> <?php } ?> <?php if ( ! empty( $user['meta']['linkedin'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['linkedin'] ); ?>" class="ms_lms_instructors_carousel__item_socials_link">- <i class="fab fa-linkedin"></i>+ <i class="stmlms-linkedin-2"></i> </a> <?php } ?> </div>
Vulnerability Existed: no No Security Vulnerabilities Detected - _core/stm-lms-templates/elementor-widgets/instructors-carousel/instructor/socials.php Explanation: This diff shows a purely cosmetic change replacing Font Awesome icon classes (`fab fa-facebook-f`, `fab fa-instagram`, `fab fa-twitter`, `fab fa-linkedin`) with custom icon classes (`stmlms-facebook-f`, `stmlms-instagram`, `stmlms-twitter-2`, `stmlms-linkedin-2`). The security-critical aspects of the code remain unchanged: - Output escaping is properly maintained via `esc_url()` for the href attributes - No new user input is being processed or output without sanitization - No changes to logic, validation, or data handling - The icon class names are hardcoded strings with no dynamic content injection This is a refactoring change to use a custom icon font instead of an external dependency, with no security implications.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/elementor-widgets/instructors-grid/instructor/socials-inside.php 2026-01-08 00:35:20.782838515 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/elementor-widgets/instructors-grid/instructor/socials-inside.php 2026-01-08 00:38:02.140612763 +0000@@ -1,22 +1,22 @@ <div class="ms_lms_instructors_grid__item_socials <?php echo ( ! empty( $socials_presets ) ) ? esc_attr( $socials_presets ) : 'style_1'; ?>"> <?php if ( ! empty( $user['meta']['facebook'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['facebook'] ); ?>" class="ms_lms_instructors_grid__item_socials_link">- <i class="fab fa-facebook-f"></i>+ <i class="stmlms-facebook-f"></i> </a> <?php } ?> <?php if ( ! empty( $user['meta']['instagram'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['instagram'] ); ?>" class="ms_lms_instructors_grid__item_socials_link">- <i class="fab fa-instagram"></i>+ <i class="stmlms-instagram"></i> </a> <?php } ?> <?php if ( ! empty( $user['meta']['twitter'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['twitter'] ); ?>" class="ms_lms_instructors_grid__item_socials_link">- <i class="fab fa-twitter"></i>+ <i class="stmlms-twitter-2"></i> </a> <?php } ?> <?php if ( ! empty( $user['meta']['linkedin'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['linkedin'] ); ?>" class="ms_lms_instructors_grid__item_socials_link">- <i class="fab fa-linkedin"></i>+ <i class="stmlms-linkedin-2"></i> </a> <?php } ?> </div>
I've analyzed the provided code diff. Here are my findings: --- **Vulnerability Existed: no** No security vulnerabilities are present in this diff. **Analysis:** This diff contains only cosmetic changes to CSS class names used for displaying social media icons in an instructor grid template. Specifically: - `fab fa-facebook-f` → `stmlms-facebook-f` - `fab fa-instagram` → `stmlms-instagram` - `fab fa-twitter` → `stmlms-twitter-2` - `fab fa-linkedin` → `stmlms-linkedin-2` The changes replace Font Awesome icon classes (`fab` prefix) with custom theme-specific icon classes (`stmlms` prefix). **Security Assessment:** 1. **No input handling changes**: The diff does not modify any input validation, sanitization, or data handling logic 2. **No output encoding changes**: The `esc_url()` and `esc_attr()` functions remain in place for proper escaping of URLs and attributes 3. **No authorization/authentication changes**: Access control mechanisms are unaffected 4. **No dependency or library changes**: Only visual asset references have been updated 5. **No structural vulnerabilities introduced**: The HTML structure and security posture remain identical This is a benign refactoring to update icon library dependencies from Font Awesome to custom icons, with no security implications.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/elementor-widgets/instructors-grid/instructor/socials.php 2026-01-08 00:35:20.782838515 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/elementor-widgets/instructors-grid/instructor/socials.php 2026-01-08 00:38:02.144613006 +0000@@ -1,22 +1,22 @@ <div class="ms_lms_instructors_grid__item_socials <?php echo ( ! empty( $socials_presets ) ) ? esc_attr( $socials_presets ) : 'style_1'; ?>"> <?php if ( ! empty( $user['meta']['facebook'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['facebook'] ); ?>" class="ms_lms_instructors_grid__item_socials_link">- <i class="fab fa-facebook-f"></i>+ <i class="stmlms-facebook-f"></i> </a> <?php } ?> <?php if ( ! empty( $user['meta']['instagram'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['instagram'] ); ?>" class="ms_lms_instructors_grid__item_socials_link">- <i class="fab fa-instagram"></i>+ <i class="stmlms-instagram"></i> </a> <?php } ?> <?php if ( ! empty( $user['meta']['twitter'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['twitter'] ); ?>" class="ms_lms_instructors_grid__item_socials_link">- <i class="fab fa-twitter"></i>+ <i class="stmlms-twitter-2"></i> </a> <?php } ?> <?php if ( ! empty( $user['meta']['linkedin'] ) ) { ?> <a href="<?php echo esc_url( $user['meta']['linkedin'] ); ?>" class="ms_lms_instructors_grid__item_socials_link">- <i class="fab fa-linkedin"></i>+ <i class="stmlms-linkedin-2"></i> </a> <?php } ?> </div>
# Security Analysis Results **Vulnerability Existed:** no **Analysis Summary:** The diff shows changes to CSS icon class names in a PHP template file, specifically replacing Font Awesome icon classes (`fab fa-*`) with custom icon classes (`stmlms-*`). This is a styling/UI update with no security implications. **Details for Each Change:** 1. Line 4: `fab fa-facebook-f` → `stmlms-facebook-f` 2. Line 9: `fab fa-instagram` → `stmlms-instagram` 3. Line 14: `fab fa-twitter` → `stmlms-twitter-2` 4. Line 19: `fab fa-linkedin` → `stmlms-linkedin-2` **Explanation:** No vulnerabilities exist in this diff. The changes are purely cosmetic icon class replacements. The critical security controls remain intact: - Output escaping via `esc_url()` on href attributes is unchanged and properly applied - No new user input is introduced without sanitization - No changes to authentication, authorization, or data handling logic - The template structure and conditional checks remain the same - This is a dependency/asset update (replacing Font Awesome with a custom icon set) This is a safe, non-security-related change.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/expiration/expired.php 2026-01-08 00:35:20.790838998 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/expiration/expired.php 2026-01-08 00:38:02.152613492 +0000@@ -23,7 +23,7 @@ <div class="stm_lms_expired_popup__inner"> <div class="stm_lms_expired_popup__close">- <i class="fa fa-times"></i>+ <i class="stmlms-times"></i> </div> <div class="stm_lms_expired_popup__image">
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no No CWE - N/A - _core/stm-lms-templates/expiration/expired.php Lines 26 Old Code: ``` <i class="fa fa-times"></i> ``` Fixed Code: ``` <i class="stmlms-times"></i> ``` Explanation: This change replaces a Font Awesome icon class (`fa fa-times`) with a custom icon class (`stmlms-times`). This is not a security vulnerability fix—it's a cosmetic/functional change to switch from the Font Awesome icon library to a custom icon set. There are no security implications in this modification. No injection vulnerabilities, privilege escalation, authentication bypass, or other security issues are introduced or fixed by this change. The HTML structure remains identical and properly escaped.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/expiration/info.php 2026-01-08 00:35:20.790838998 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/expiration/info.php 2026-01-08 00:38:02.156613735 +0000@@ -6,7 +6,7 @@ <div class="stm_lms_expired_notice__wrapper"> <div class="stm_lms_expired_notice warning_expired">- <i class="far fa-clock"></i>+ <i class="stmlms-clock"></i> <?php printf( wp_kses_post(
Vulnerability Existed: no No Vulnerabilities Detected - [N/A] - [_core/stm-lms-templates/expiration/info.php] [Lines 9] Old Code: ```php <i class="far fa-clock"></i> ``` Fixed Code: ```php <i class="stmlms-clock"></i> ``` Explanation: This diff shows a change in CSS class names for an icon element, replacing "far fa-clock" (Font Awesome icon) with "stmlms-clock" (custom theme icon class). This is a UI/styling update with no security implications. There are no changes to: - Input validation or sanitization - Authentication or authorization logic - Data handling or storage - Output encoding - Access controls - Cryptographic operations - External API calls - SQL queries - File operations The modification is purely presentational and does not introduce, fix, or relate to any security vulnerabilities. No CWE applies to this change.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/expiration/not_expired.php 2026-01-08 00:35:20.802839724 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/expiration/not_expired.php 2026-01-08 00:38:02.156613735 +0000@@ -10,7 +10,7 @@ ?> <div class="stm_lms_expired_notice expired_in_progress">- <i class="far fa-clock"></i>+ <i class="stmlms-clock"></i> <?php if ( $days_left < 1 ) { printf(
Vulnerability Existed: no No Vulnerability Detected - Icon Class Change Only Old Code: ``` <i class="far fa-clock"></i> ``` Fixed Code: ``` <i class="stmlms-clock"></i> ``` Explanation: This diff represents a change in the CSS icon class used for displaying a clock icon in an expiration notice template. The change is from Font Awesome's `far fa-clock` class to a custom `stmlms-clock` class. This is a cosmetic/UI update with no security implications. There is no vulnerability in either the old or new code - both are simple HTML markup that renders an icon element. No input validation, data processing, or security-sensitive operations are involved in this change.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/gdpr/privacy_policy.php 2026-01-08 00:35:20.802839724 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/gdpr/privacy_policy.php 2026-01-08 00:38:02.160613978 +0000@@ -1,21 +1,21 @@ <?php-$gdpr_warning = STM_LMS_Options::get_option('gdpr_warning');-$gdpr_page = STM_LMS_Options::get_option('gdpr_page');+$gdpr_warning = STM_LMS_Options::get_option( 'gdpr_warning' );+$gdpr_page = STM_LMS_Options::get_option( 'gdpr_page' ); -if (!empty($gdpr_page) and !empty($gdpr_warning)): ?>+if ( ! empty( $gdpr_page ) && ! empty( $gdpr_warning ) ) : ?> - <label class="stm_lms_styled_checkbox" style="margin-bottom: 30px">- <span class="stm_lms_styled_checkbox__inner">- <input type="checkbox"- name="privacy_policy"- v-init="hasPrivacyPolicy()"- v-model="privacy_policy"/>- <span><i class="fa fa-check"></i> </span>- </span>+ <label class="stm_lms_styled_checkbox" style="margin-bottom: 30px">+ <span class="stm_lms_styled_checkbox__inner">+ <input type="checkbox"+ name="privacy_policy"+ v-init="hasPrivacyPolicy()"+ v-model="privacy_policy"/>+ <span><i class="stmlms-check-3"></i> </span>+ </span> - <a href="<?php echo esc_url(get_the_permalink($gdpr_page)); ?>" target="_blank">- <?php echo wp_kses_post($gdpr_warning); ?>- </a>- </label>+ <a href="<?php echo esc_url( get_the_permalink( $gdpr_page ) ); ?>" target="_blank">+ <?php echo wp_kses_post( $gdpr_warning ); ?>+ </a>+ </label> -<?php endif; ?>\ No newline at end of file+<?php endif; ?>
# Security Analysis of Code Diff Vulnerability Existed: no **No Security Vulnerabilities Detected** Explanation: This diff contains only formatting and style changes with no security implications: 1. **Spacing adjustments** - Added spaces around parentheses and function parameters (WordPress coding standard compliance) 2. **Indentation changes** - Converted spaces to tabs for consistent formatting 3. **Icon class update** - Changed `fa fa-check` to `stmlms-check-3` (visual asset update, no security impact) 4. **Logical operator change** - Changed `and` to `&&` (functionally equivalent, improved readability) 5. **Conditional statement formatting** - Changed `: ?>` to `) : ?>` (formatting only) **Security Controls Already In Place:** - `esc_url()` - Properly sanitizes the URL in the href attribute - `wp_kses_post()` - Properly sanitizes the warning message output - These WordPress escaping functions remain unchanged and continue to protect against injection attacks The code maintains all existing security measures. The changes are purely stylistic and do not alter the security posture of the template.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/global/wish-list.php 2026-01-08 00:35:20.826841173 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/global/wish-list.php 2026-01-08 00:38:02.180615193 +0000@@ -15,22 +15,22 @@ if ( is_user_logged_in() ) { ?> <div class="stm-lms-wishlist" data-add="<?php esc_html_e( 'Add to Wishlist', 'masterstudy-lms-learning-management-system' ); ?>"- data-add-icon="far fa-heart"+ data-add-icon="stmlms-heart-3" data-remove="<?php esc_html_e( 'Remove from Wishlist', 'masterstudy-lms-learning-management-system' ); ?>"- data-remove-icon="fa fa-heart"+ data-remove-icon="stmlms-heart-2" data-id="<?php echo intval( $course_id ); ?>"> <?php if ( $wishlisted ) { ?>- <i class="fa fa-heart"></i>+ <i class="stmlms-heart-2"></i> <span><?php esc_html_e( 'Remove from Wishlist', 'masterstudy-lms-learning-management-system' ); ?></span> <?php } else { ?>- <i class="far fa-heart"></i>+ <i class="stmlms-heart-3"></i> <span><?php esc_html_e( 'Add to Wishlist', 'masterstudy-lms-learning-management-system' ); ?></span> <?php } ?> </div> <?php } else { ?> <div class="stm-lms-wishlist"> <a href="<?php echo esc_url( STM_LMS_User::login_page_url() ); ?>">- <i class="far fa-heart"></i>+ <i class="stmlms-heart-3"></i> <span><?php esc_html_e( 'Add to Wishlist', 'masterstudy-lms-learning-management-system' ); ?></span> </a> </div>
Vulnerability Existed: no No CWE Applicable - N/A - _core/stm-lms-templates/global/wish-list.php - Lines 18-35 Old Code: ```php data-add-icon="far fa-heart" data-remove-icon="fa fa-heart" <i class="fa fa-heart"></i> <i class="far fa-heart"></i> ``` Fixed Code: ```php data-add-icon="stmlms-heart-3" data-remove-icon="stmlms-heart-2" <i class="stmlms-heart-2"></i> <i class="stmlms-heart-3"></i> ``` Explanation: This diff represents a UI/styling change, not a security fix. The changes replace Font Awesome icon classes (`fa fa-heart`, `far fa-heart`) with custom icon classes (`stmlms-heart-2`, `stmlms-heart-3`). This is a visual/branding update with no security implications. No vulnerabilities are being fixed or introduced in this change. The code properly uses `esc_url()`, `esc_html_e()`, and `intval()` for output escaping in the surrounding context, maintaining existing security standards.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/pmpro/pages/checkout.php 2026-01-08 00:35:20.854842863 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/pmpro/pages/checkout.php 2026-01-08 00:38:02.208616895 +0000@@ -59,7 +59,7 @@ if ( $pmpro_msg ) { ?> <div id="pmpro_message"- class="pmpro_message <?php echo esc_attr( $pmpro_msgt ); ?>"><i class="fa fa-info"></i><?php echo wp_kses_post( $pmpro_msg ); ?></div>+ class="pmpro_message <?php echo esc_attr( $pmpro_msgt ); ?>"><i class="stmlms-info"></i><?php echo wp_kses_post( $pmpro_msg ); ?></div> <?php } else { ?>@@ -97,7 +97,7 @@ <img src="<?php echo esc_url( STM_LMS_URL . 'assets/img/pmpro_img/pmpro_user.svg' ); ?>" alt=""> <label for="username"><?php esc_html_e( 'Username', 'masterstudy-lms-learning-management-system' ); ?></label> </div>- <input id="username" name="username" type="text" + <input id="username" name="username" type="text" placeholder="<?php esc_attr_e( 'Enter username', 'masterstudy-lms-learning-management-system' ); ?>" class="input <?php echo esc_attr( pmpro_getClassForField( 'username' ) ); ?>" size="30" value="<?php echo esc_attr( $username ); ?>"/>@@ -222,7 +222,7 @@ } ?> <div id="pmpro_account_loggedin" class="message message-notice">- <i class="fa fa-info"></i>+ <i class="stmlms-info"></i> <p><?php printf( wp_kses_post( __( 'You are logged in as <strong>%1$s</strong>. If you would like to use a different account for this membership, <a href="%2$s">%3$s.</a>', 'masterstudy-lms-learning-management-system' ) ), esc_html( $current_user->user_login ), esc_url( $url ), wp_kses_post( $text ) ); ?></p> </div> <?php } ?>@@ -237,7 +237,7 @@ <?php if ( 'paypal' === pmpro_getGateway() && empty( $pmpro_review ) ) { ?> <table id="pmpro_payment_method" class="pmpro_checkout top1em" width="100%" cellpadding="0" cellspacing="0"- border="0" + border="0" <?php if ( ! $pmpro_requirebilling ) { ?> style="display: none;" <?php } ?>
I'll analyze this code diff for security vulnerabilities.
---
**Vulnerability 1:**
Vulnerability Existed: no
[No CWE - CSS Class Icon Change] - N/A - _core/stm-lms-templates/pmpro/pages/checkout.php [Lines 62, 225]
Old Code:
```php
<i class="fa fa-info"></i>
```
Fixed Code:
```php
<i class="stmlms-info"></i>
```
Explanation:
This change replaces Font Awesome icon classes ("fa fa-info") with custom icon classes ("stmlms-info"). This is a styling/branding change with no security implications. The old code did not contain a vulnerability—it was simply using a third-party icon library. The change appears to be a migration to internal icon assets, which is a maintenance improvement, not a security fix.
---
**Vulnerability 2:**
Vulnerability Existed: no
[No CWE - Whitespace Cleanup] - N/A - _core/stm-lms-templates/pmpro/pages/checkout.php [Lines 100, 240]
Old Code:
```php
<input id="username" name="username" type="text"
```
Fixed Code:
```php
<input id="username" name="username" type="text"
```
Explanation:
This change removes trailing whitespace from HTML input tags. This is purely a code formatting/linting fix with no security implications. The old code did not contain a vulnerability.
---
**Summary:**
This diff contains **no security fixes or vulnerabilities**. The changes are:
1. Icon class migration (branding/styling)
2. Whitespace cleanup (formatting)
Both modifications are non-security related maintenance changes.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/questions/answers/image_match.php 2026-01-08 00:35:20.866843588 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/questions/answers/image_match.php 2026-01-08 00:38:02.220617624 +0000@@ -73,7 +73,7 @@ <?php endif; ?> <?php if ( ! empty( $correct_answer['explain'] ) ) : ?> <div class="stm-lms-single-answer__hint">- <i class="fa fa-info"></i>+ <i class="stmlms-info"></i> <div class="stm-lms-single-answer__hint_text"> <div class="inner"> <?php echo wp_kses_post( $correct_answer['explain'] ); ?>
Vulnerability Existed: no No Vulnerability Detected - File: _core/stm-lms-templates/questions/answers/image_match.php [Line 76] Old Code: ```php <i class="fa fa-info"></i> ``` Fixed Code: ```php <i class="stmlms-info"></i> ``` Explanation: This diff represents a change in CSS class names for an icon element, changing from Font Awesome (`fa fa-info`) to a custom class (`stmlms-info`). This is a styling/UI update with no security implications. No vulnerability exists in either the old or new code. The change does not introduce, fix, or relate to any CWE vulnerability - it's purely a cosmetic class name modification for icon rendering.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/questions/answers/item_match.php 2026-01-08 00:35:20.866843588 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/questions/answers/item_match.php 2026-01-08 00:38:02.224617866 +0000@@ -46,7 +46,7 @@ <div class="stm_lms_question_item_match__match"></div> <?php if ( ! empty( $correct_answer['explain'] ) ) : ?> <div class="stm-lms-single-answer__hint">- <i class="fa fa-info"></i>+ <i class="stmlms-info"></i> <div class="stm-lms-single-answer__hint_text"> <div class="inner"> <?php echo wp_kses_post( $correct_answer['explain'] ); ?>@@ -72,7 +72,7 @@ <?php if ( ! empty( $correct_answer['explain'] ) ) : ?> <div class="stm-lms-single-answer__hint">- <i class="fa fa-info"></i>+ <i class="stmlms-info"></i> <div class="stm-lms-single-answer__hint_text"> <div class="inner"> <?php echo wp_kses_post( $correct_answer['explain'] ); ?>
I'll analyze this code diff for security vulnerabilities. **Vulnerability Existed:** no **No Security Vulnerabilities Detected** **Explanation:** This diff shows a simple CSS class name change from `fa fa-info` (Font Awesome icon class) to `stmlms-info` (custom icon class) in two locations within a PHP template file. This is purely a presentational/UI change with no security implications. The change does not involve: - Input validation or sanitization modifications - Authentication or authorization changes - Data handling or storage modifications - SQL queries or database operations - File operations or system calls - External service calls - Sensitive data exposure - Cryptographic operations The surrounding code uses `wp_kses_post()` for sanitizing user-supplied content, which remains unchanged and properly protects against XSS attacks. **Conclusion:** This is a cosmetic update to icon styling with zero security impact. No vulnerabilities were introduced or fixed by this change.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/questions/answers/keywords.php 2026-01-08 00:35:20.870843829 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/questions/answers/keywords.php 2026-01-08 00:38:02.224617866 +0000@@ -8,56 +8,64 @@ * @var string $question_hint * @var string $item_id */-$question_id = get_the_ID();-$show_correct_answer = get_post_meta($item_id, 'correct_answer', true);-$answers_for = (!empty($answers)) ? wp_list_pluck($answers, 'text') : array();+$question_id = get_the_ID();+$show_correct_answer = get_post_meta( $item_id, 'correct_answer', true );+$answers_for = ( ! empty( $answers ) ) ? wp_list_pluck( $answers, 'text' ) : array(); -$uniq_id = uniqid('quiz_');-$uniq_id_script = "var " . $uniq_id . " = " . json_encode(array_map('strtolower', $answers_for));+$uniq_id = uniqid( 'quiz_' );+$uniq_id_script = 'var ' . $uniq_id . ' = ' . wp_json_encode( array_map( 'strtolower', $answers_for ) ); -stm_lms_register_style('keywords_question');+stm_lms_register_style( 'keywords_question' ); $user_answers = array();-if (!empty($user_answer['user_answer'])) {- $user_answers = explode('[stm_lms_sep]', str_replace('[stm_lms_keywords]', '', $user_answer['user_answer']));+if ( ! empty( $user_answer['user_answer'] ) ) {+ $user_answers = explode( '[stm_lms_sep]', str_replace( '[stm_lms_keywords]', '', $user_answer['user_answer'] ) ); } -if (!empty($answers)): ?>+if ( ! empty( $answers ) ) : ?> - <div class="stm_lms_question_item_keywords" data-quiz="<?php echo esc_attr($uniq_id); ?>">+ <div class="stm_lms_question_item_keywords" data-quiz="<?php echo esc_attr( $uniq_id ); ?>"> - <div class="stm_lms_question_item_keywords__answers">- <?php foreach ($answers as $i => $correct_answer):- $is_correct = (!empty($user_answers[$i]) && strtolower($user_answers[$i]) === strtolower($correct_answer['text'])) ? 'correct' : 'incorrect';- ?>- <div class="stm_lms_question_item_keywords__answer stm_lms_question_item_keywords__answer_<?php echo esc_attr($i); ?> <?php echo esc_attr($is_correct); ?>">- <h5 class="label_keyword">- <?php printf(esc_html__('Keyword #%s', 'masterstudy-lms-learning-management-system'), $i + 1); ?>- </h5>- <div class="value">- <span><?php- if($show_correct_answer){- echo esc_html($correct_answer['text']);- }- elseif(!empty($user_answers[$i])) {- echo esc_html($user_answers[$i]);- }- ?></span>- <?php if (!empty($correct_answer['explain'])): ?>- <div class="stm-lms-single-answer__hint">- <i class="fa fa-info"></i>- <div class="stm-lms-single-answer__hint_text">- <div class="inner">- <?php echo wp_kses_post($correct_answer['explain']); ?>- </div>- </div>- </div>- <?php endif; ?>- </div>- </div>- <?php endforeach; ?>- </div>+ <div class="stm_lms_question_item_keywords__answers">+ <?php+ foreach ( $answers as $i => $correct_answer ) :+ $is_correct = ( ! empty( $user_answers[ $i ] ) && strtolower( $user_answers[ $i ] ) === strtolower( $correct_answer['text'] ) ) ? 'correct' : 'incorrect';+ ?>+ <div class="stm_lms_question_item_keywords__answer stm_lms_question_item_keywords__answer_<?php echo esc_attr( $i ); ?> <?php echo esc_attr( $is_correct ); ?>">+ <h5 class="label_keyword">+ <?php+ printf(+ /* translators: %s: keyword index (starting from 1). */+ esc_html__( 'Keyword #%s', 'masterstudy-lms-learning-management-system' ),+ (int) $i + 1+ );+ ?>+ </h5>+ <div class="value">+ <span>+ <?php+ if ( $show_correct_answer ) {+ echo esc_html( $correct_answer['text'] );+ } elseif ( ! empty( $user_answers[ $i ] ) ) {+ echo esc_html( $user_answers[ $i ] );+ }+ ?>+ </span>+ <?php if ( ! empty( $correct_answer['explain'] ) ) : ?>+ <div class="stm-lms-single-answer__hint">+ <i class="stmlms-info"></i>+ <div class="stm-lms-single-answer__hint_text">+ <div class="inner">+ <?php echo wp_kses_post( $correct_answer['explain'] ); ?>+ </div>+ </div>+ </div>+ <?php endif; ?>+ </div>+ </div>+ <?php endforeach; ?>+ </div> - </div>+ </div> -<?php endif; ?>\ No newline at end of file+<?php endif; ?>
# Security Analysis of Code Diff
## Vulnerability 1
**Vulnerability Existed: yes**
FALSE POSITIVE
**Improper Output Encoding - CWE-79** - CWE-79 - `_core/stm-lms-templates/questions/answers/keywords.php` (Lines 15-16)
**Old Code:**
```php
$uniq_id_script = "var " . $uniq_id . " = " . json_encode(array_map('strtolower', $answers_for));
```
**Fixed Code:**
```php
$uniq_id_script = 'var ' . $uniq_id . ' = ' . wp_json_encode( array_map( 'strtolower', $answers_for ) );
```
**Explanation:**
The original code used `json_encode()` to encode the answers array for output in a JavaScript context. This is vulnerable because `json_encode()` does not account for all JavaScript-specific encoding requirements. The fix replaces `json_encode()` with WordPress's `wp_json_encode()`, which properly escapes the JSON data for safe output in HTML/JavaScript contexts, preventing potential XSS attacks if the answers contain special characters or quote characters that could break out of the JavaScript string context.
---
## Vulnerability 2
**Vulnerability Existed: yes**
FALSE POSITIVE
**Cross-Site Scripting (XSS) - CWE-79** - CWE-79 - `_core/stm-lms-templates/questions/answers/keywords.php` (Line 38)
**Old Code:**
```php
printf(esc_html__('Keyword #%s', 'masterstudy-lms-learning-management-system'), $i + 1);
```
**Fixed Code:**
```php
printf(
/* translators: %s: keyword index (starting from 1). */
esc_html__( 'Keyword #%s', 'masterstudy-lms-learning-management-system' ),
(int) $i + 1
);
```
**Explanation:**
The original code passed `$i + 1` directly to `printf()` without type casting. While `$i` comes from `foreach` iteration and is numerically safe, the fix adds explicit type casting `(int) $i + 1` to ensure the value is always treated as an integer. Additionally, a translator comment was added for better localization context. This improves code safety by explicitly enforcing type expectations and reduces the theoretical risk of unexpected variable behavior.
---
## Vulnerability 3
**Vulnerability Existed: not sure**
**Potential Information Disclosure / Icon Class Change - CWE-434** - CWE-434 - `_core/stm-lms-templates/questions/answers/keywords.php` (Line 50)
**Old Code:**
```php
<i class="fa fa-info"></i>
```
**Fixed Code:**
```php
<i class="stmlms-info"></i>
```
**Explanation:**
The icon class was changed from `fa fa-info` (Font Awesome) to `stmlms-info` (custom class). This is not a direct security vulnerability, but represents a dependency change. The original code depended on Font Awesome being loaded externally, which could have had implications for third-party dependencies or CDN availability. The fix moves to a custom icon system, which reduces external dependencies and potential security surface area related to compromised third-party icon libraries.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/questions/answers/multi_choice.php 2026-01-08 00:35:20.870843829 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/questions/answers/multi_choice.php 2026-01-08 00:38:02.224617866 +0000@@ -60,7 +60,7 @@ type="checkbox" name="<?php echo esc_attr( $question_id ); ?>[]" value="<?php echo esc_attr( $full_answer ); ?>"/>- <i class="fa fa-check"></i>+ <i class="stmlms-check-3"></i> <?php if ( $is_image ) { if ( ! empty( $answer['text_image']['url'] ) ) {@@ -68,7 +68,7 @@ <img src="<?php echo esc_url( $answer['text_image']['url'] ); ?>"/> <?php } else { ?> <div class="empty-image">- <i class="fa fa-image"></i>+ <i class="stmlms-image-2"></i> </div> <?php }@@ -79,7 +79,7 @@ if ( ! empty( $answer['explain'] ) ) { ?> <div class="stm-lms-single-answer__hint">- <i class="fa fa-info"></i>+ <i class="stmlms-info"></i> <div class="stm-lms-single-answer__hint_text"> <div class="inner"> <?php echo wp_kses_post( $answer['explain'] ); ?>
``` Vulnerability Existed: no No vulnerabilities identified - File: _core/stm-lms-templates/questions/answers/multi_choice.php Old Code: Line 63: <i class="fa fa-check"></i> Line 71: <i class="fa fa-image"></i> Line 82: <i class="fa fa-info"></i> Fixed Code: Line 63: <i class="stmlms-check-3"></i> Line 71: <i class="stmlms-image-2"></i> Line 82: <i class="stmlms-info"></i> Explanation: This diff shows a refactoring of icon class names from Font Awesome classes (fa fa-check, fa fa-image, fa fa-info) to custom icon classes (stmlms-check-3, stmlms-image-2, stmlms-info). The old code uses Font Awesome icon classes which are non-sensitive markup changes. The new code replaces these with custom LMS icon classes. Since these are purely presentational HTML class names with no security implications (no data handling, no privilege changes, no input validation changes), this is a cosmetic/styling update with no security vulnerabilities. The values are hardcoded strings used for CSS styling only and do not involve any user input, data processing, or security-critical operations. No CWE applies to this change. ```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/questions/answers/single_choice.php 2026-01-08 00:35:20.874844071 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/questions/answers/single_choice.php 2026-01-08 00:38:02.228618109 +0000@@ -75,7 +75,7 @@ disabled name="<?php echo esc_attr( $question_id ); ?>" value="<?php echo wp_kses_post( $full_answer ); ?>"/>- <i class="fa fa-check"></i>+ <i class="stmlms-check-3"></i> <?php if ( $is_image ) {@@ -84,7 +84,7 @@ <img src="<?php echo esc_url( $answer['text_image']['url'] ); ?>"/> <?php } else { ?> <div class="empty-image">- <i class="fa fa-image"></i>+ <i class="stmlms-image-2"></i> </div> <?php }@@ -95,7 +95,7 @@ if ( ! empty( $answer['explain'] ) ) : ?> <div class="stm-lms-single-answer__hint">- <i class="fa fa-info"></i>+ <i class="stmlms-info"></i> <div class="stm-lms-single-answer__hint_text"> <div class="inner"> <?php echo wp_kses_post( $answer['explain'] ); ?>
I'll analyze this code diff for security vulnerabilities. --- **Vulnerability Existed: no** **No Vulnerabilities Identified** - File: `_core/stm-lms-templates/questions/answers/single_choice.php` [Lines 78, 87, 98] **Old Code:** ```php <i class="fa fa-check"></i> <i class="fa fa-image"></i> <i class="fa fa-info"></i> ``` **Fixed Code:** ```php <i class="stmlms-check-3"></i> <i class="stmlms-image-2"></i> <i class="stmlms-info"></i> ``` **Explanation:** This diff represents a migration from Font Awesome icon classes (`fa fa-check`, `fa fa-image`, `fa fa-info`) to custom application icon classes (`stmlms-check-3`, `stmlms-image-2`, `stmlms-info`). The changes do not introduce or fix any security vulnerabilities. This is a purely cosmetic/styling update: - No user input is being processed or sanitized differently - No authentication or authorization logic is affected - No sensitive data handling is changed - The output is still wrapped in appropriate escaping functions (`wp_kses_post`, `esc_url`, `esc_attr`) where applicable - No injection vectors are created or removed - The icon classes themselves are hardcoded strings, not derived from untrusted sources This is a safe refactoring with no security implications.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/questions/answers/true_false.php 2026-01-08 00:35:20.874844071 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/questions/answers/true_false.php 2026-01-08 00:38:02.232618353 +0000@@ -61,7 +61,7 @@ disabled name="<?php echo esc_attr( $question_id ); ?>" value="<?php echo esc_attr( $answer['text'] ); ?>"/>- <i class="fa fa-check"></i>+ <i class="stmlms-check-3"></i> <?php echo esc_html( $answer['label'] ); ?> </label> </div>
Vulnerability Existed: no No Vulnerability Detected - [File] _core/stm-lms-templates/questions/answers/true_false.php [Line 64] Old Code: ```php <i class="fa fa-check"></i> ``` Fixed Code: ```php <i class="stmlms-check-3"></i> ``` Explanation: This change replaces a Font Awesome icon class (`fa fa-check`) with a custom icon class (`stmlms-check-3`). This is a UI/styling update with no security implications. Both the old and new code do not introduce, contain, or fix any security vulnerabilities. The change does not affect input validation, sanitization, authentication, authorization, data handling, or any other security-related functionality. The `esc_attr()` and `esc_html()` functions used elsewhere in the code are properly applied to escape user-controlled data, maintaining security regardless of which icon class is used.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/questions/multi_choice.php 2026-01-08 00:35:20.882844554 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/questions/multi_choice.php 2026-01-08 00:38:02.240618838 +0000@@ -9,7 +9,7 @@ */ $question_id = get_the_ID();-$is_image = (bool) ( ! empty( $question_view_type ) && 'image' == $question_view_type );+$is_image = (bool) ( ! empty( $question_view_type ) && 'image' === $question_view_type ); foreach ( $answers as $answer ) : $full_answer = ( ! empty( $answer['text_image']['url'] ) )@@ -21,22 +21,26 @@ <input type="checkbox" name="<?php echo esc_attr( $question_id ); ?>[]" value="<?php echo esc_attr( $full_answer ); ?>"/>- <i class="fa fa-check"></i>- <?php if ( $is_image ) {- if ( ! empty( $answer['text_image']['url'] ) ) { ?>+ <i class="stmlms-check-3"></i>+ <?php+ if ( $is_image ) {+ if ( ! empty( $answer['text_image']['url'] ) ) {+ ?> <img src="<?php echo esc_url( $answer['text_image']['url'] ); ?>"/> <?php } else { ?> <div class="empty-image">- <i class="fa fa-image"></i>+ <i class="stmlms-image-2"></i> </div>- <?php }- } else {- echo wp_kses( $answer['text'], [] );- } ?>+ <?php+ }+ } else {+ echo wp_kses( $answer['text'], array() );+ }+ ?> </label> <?php if ( $is_image && ! empty( $answer['text'] ) ) { ?>- <span><?php echo wp_kses( $answer['text'], [] ); ?></span>+ <span><?php echo wp_kses( $answer['text'], array() ); ?></span> <?php } ?> </div>-<?php+ <?php endforeach;
``` Vulnerability Existed: no [Cross-Site Scripting (XSS)] - [CWE-79] - [_core/stm-lms-templates/questions/multi_choice.php] [Lines 36, 42] [Old Code] echo wp_kses( $answer['text'], [] ); echo wp_kses( $answer['text'], [] ); [Fixed Code] echo wp_kses( $answer['text'], array() ); echo wp_kses( $answer['text'], array() ); Explanation: No vulnerability existed in the original code. Both `[]` (short array syntax) and `array()` (long array syntax) are functionally equivalent in PHP and pass an empty allowed HTML tags array to `wp_kses()`. The function `wp_kses()` already provides XSS protection by sanitizing content against the specified allowed tags. This change is a code style/consistency improvement (modernizing to use explicit `array()` syntax) rather than a security fix. The other changes (strict comparison `===` vs loose `==`, icon class name changes from Font Awesome to custom classes, and code formatting) are also non-security improvements. ```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/questions/single_choice.php 2026-01-08 00:35:20.886844795 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/questions/single_choice.php 2026-01-08 00:38:02.240618838 +0000@@ -9,7 +9,7 @@ */ $question_id = get_the_ID();-$is_image = (bool) ( ! empty( $question_view_type ) && 'image' == $question_view_type );+$is_image = (bool) ( ! empty( $question_view_type ) && 'image' === $question_view_type ); foreach ( $answers as $answer ) : $full_answer = ( ! empty( $answer['text_image']['url'] ) )@@ -21,22 +21,26 @@ <input type="radio" name="<?php echo esc_attr( $question_id ); ?>" value="<?php echo esc_attr( $full_answer ); ?>"/>- <i class="fa fa-check"></i>- <?php if ( $is_image ) {- if ( ! empty( $answer['text_image']['url'] ) ) { ?>+ <i class="stmlms-check-3"></i>+ <?php+ if ( $is_image ) {+ if ( ! empty( $answer['text_image']['url'] ) ) {+ ?> <img src="<?php echo esc_url( $answer['text_image']['url'] ); ?>"/> <?php } else { ?> <div class="empty-image">- <i class="fa fa-image"></i>+ <i class="stmlms-image-2"></i> </div>- <?php }- } else {- echo wp_kses( $answer['text'], [] );- } ?>+ <?php+ }+ } else {+ echo wp_kses( $answer['text'], array() );+ }+ ?> </label> <?php if ( $is_image && ! empty( $answer['text'] ) ) { ?>- <span><?php echo wp_kses( $answer['text'], [] ); ?></span>+ <span><?php echo wp_kses( $answer['text'], array() ); ?></span> <?php } ?> </div>-<?php+ <?php endforeach;
I'll analyze this code diff for security vulnerabilities. ``` Vulnerability Existed: no [Cross-Site Scripting (XSS)] - [CWE-79] - single_choice.php [35, 43] Old Code: echo wp_kses( $answer['text'], [] ); echo wp_kses( $answer['text'], [] ); Fixed Code: echo wp_kses( $answer['text'], array() ); echo wp_kses( $answer['text'], array() ); Explanation: No vulnerability existed. The use of `wp_kses()` with an empty array `[]` was already providing XSS protection by stripping all HTML tags from the output. The change from `[]` to `array()` is a PHP coding style improvement (avoiding short array syntax) but does not change the security behavior. Both versions safely sanitize the output against XSS attacks by allowing no HTML tags through. ``` ``` Vulnerability Existed: no [Loose Comparison] - [CWE-1025] - single_choice.php [12] Old Code: $is_image = (bool) ( ! empty( $question_view_type ) && 'image' == $question_view_type ); Fixed Code: $is_image = (bool) ( ! empty( $question_view_type ) && 'image' === $question_view_type ); Explanation: No security vulnerability existed with the loose comparison operator `==`, but the change to strict comparison `===` is a best practice improvement. The strict comparison eliminates potential type juggling issues (e.g., if `$question_view_type` was the integer `0`, it would not match 'image' with strict comparison). This is a code quality improvement rather than a security fix, but it does reduce the potential for unexpected behavior. ``` ``` Vulnerability Existed: no [UI/Icon Library Change] - [No CWE] - single_choice.php [24, 32] Old Code: <i class="fa fa-check"></i> <i class="fa fa-image"></i> Fixed Code: <i class="stmlms-check-3"></i> <i class="stmlms-image-2"></i> Explanation: No security vulnerability. This is a change in CSS icon classes from Font Awesome (fa fa-check, fa fa-image) to a custom icon library (stmlms-check-3, stmlms-image-2). This is purely a presentational change with no security implications. ```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/questions/true_false.php 2026-01-08 00:35:20.886844795 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/questions/true_false.php 2026-01-08 00:38:02.244619082 +0000@@ -17,7 +17,7 @@ <div class="stm-lms-single-answer"> <label> <input type="radio" name="<?php echo esc_attr( $question_id ); ?>" value="<?php echo esc_attr( $answer['value'] ); ?>"/>- <i class="fa fa-check"></i>+ <i class="stmlms-check-3"></i> <?php echo esc_html( $answer['text'] ); ?> </label> </div>
Vulnerability Existed: no No CWE Applicable - N/A - _core/stm-lms-templates/questions/true_false.php Lines 20 [Old Code] ``` <i class="fa fa-check"></i> ``` [Fixed Code] ``` <i class="stmlms-check-3"></i> ``` Explanation: This change replaces a Font Awesome icon class reference (`fa fa-check`) with a custom icon class (`stmlms-check-3`). This is a UI/styling change with no security implications. The old code was not vulnerable to any security issues—it simply referenced an external icon library class. The new code uses an internal icon class instead. No CWE or security vulnerability exists in either version of this code. The change appears to be a dependency removal or icon library migration.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/shortcodes/stm_lms_courses_carousel.php 2026-01-08 00:35:20.902845761 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/shortcodes/stm_lms_courses_carousel.php 2026-01-08 00:38:02.264620297 +0000@@ -186,10 +186,10 @@ <?php if ( 'disable' !== $prev_next ) : ?> <div class="stm_lms_courses_carousel__buttons"> <div class="stm_lms_courses_carousel__button stm_lms_courses_carousel__button_prev sbc_h sbrc_h">- <i class="fa fa-chevron-left"></i>+ <i class="stmlms-chevron-left-2"></i> </div> <div class="stm_lms_courses_carousel__button stm_lms_courses_carousel__button_next sbc_h sbrc_h">- <i class="fa fa-chevron-right"></i>+ <i class="stmlms-chevron-right-2"></i> </div> </div> <?php endif; ?>
Vulnerability Existed: no No Security Vulnerabilities Detected Explanation: This diff shows changes to icon class names in a WordPress/PHP template file. Specifically, it replaces Font Awesome icon classes (`fa fa-chevron-left` and `fa fa-chevron-right`) with custom icon classes (`stmlms-chevron-left-2` and `stmlms-chevron-right-2`). This is a purely cosmetic/presentational change that: - Does not involve user input handling - Does not modify any security-related logic - Does not introduce new attack vectors - Does not affect authentication, authorization, or data handling - Is simply updating UI icon references There are no security fixes present in this diff because there were no security vulnerabilities in the original code. The original code using Font Awesome classes was not vulnerable, and the updated code using custom icon classes is equally safe from a security perspective.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/shortcodes/stm_lms_instructors_carousel.php 2026-01-08 00:35:20.906846003 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/shortcodes/stm_lms_instructors_carousel.php 2026-01-08 00:38:02.272620782 +0000@@ -75,10 +75,10 @@ <?php if ( 'disable' !== $prev_next && 'style_2' === $style ) : ?> <div class="stm_lms_courses_carousel__buttons"> <div class="stm_lms_courses_carousel__button stm_lms_courses_carousel__button_prev sbc_h sbrc_h">- <i class="fa fa-chevron-left"></i>+ <i class="stmlms-chevron-left-2"></i> </div> <div class="stm_lms_courses_carousel__button stm_lms_courses_carousel__button_next sbc_h sbrc_h">- <i class="fa fa-chevron-right"></i>+ <i class="stmlms-chevron-right-2"></i> </div> </div> <?php endif; ?>@@ -108,17 +108,17 @@ <div class="user_socials"> <?php if ( ! empty( $user['meta']['twitter'] ) ) : ?> <a href="<?php echo esc_url( $user['meta']['twitter'] ); ?>" class="twitter">- <i class="fab fa-twitter"></i>+ <i class="stmlms-twitter-2"></i> </a> <?php endif; ?> <?php if ( ! empty( $user['meta']['facebook'] ) ) : ?> <a href="<?php echo esc_url( $user['meta']['facebook'] ); ?>" class="facebook">- <i class="fab fa-facebook-f"></i>+ <i class="stmlms-facebook-f"></i> </a> <?php endif; ?> <?php if ( ! empty( $user['meta']['instagram'] ) ) : ?> <a href="<?php echo esc_url( $user['meta']['instagram'] ); ?>" class="instagram">- <i class="fab fa-instagram"></i>+ <i class="stmlms-instagram"></i> </a> <?php endif; ?> </div>@@ -163,10 +163,10 @@ <?php if ( 'disable' !== $prev_next && 'style_2' !== $style ) : ?> <div class="stm_lms_courses_carousel__buttons"> <div class="stm_lms_courses_carousel__button stm_lms_courses_carousel__button_prev sbc_h sbrc_h">- <i class="fa fa-chevron-left"></i>+ <i class="stmlms-chevron-left-2"></i> </div> <div class="stm_lms_courses_carousel__button stm_lms_courses_carousel__button_next sbc_h sbrc_h">- <i class="fa fa-chevron-right"></i>+ <i class="stmlms-chevron-right-2"></i> </div> </div> <?php endif; ?>
Analyzing the provided code diff for security vulnerabilities: --- **Vulnerability 1:** Vulnerability Existed: no [No Vulnerability] - [N/A] - stm_lms_instructors_carousel.php [78, 81, 111, 115, 119, 166, 169] Old Code: ```php <i class="fa fa-chevron-left"></i> <i class="fa fa-chevron-right"></i> <i class="fab fa-twitter"></i> <i class="fab fa-facebook-f"></i> <i class="fab fa-instagram"></i> ``` Fixed Code: ```php <i class="stmlms-chevron-left-2"></i> <i class="stmlms-chevron-right-2"></i> <i class="stmlms-twitter-2"></i> <i class="stmlms-facebook-f"></i> <i class="stmlms-instagram"></i> ``` Explanation: This diff replaces Font Awesome icon classes with custom icon classes. This is not a security fix but rather a refactoring change to use a custom icon set instead of an external dependency. The change does not introduce or remediate any security vulnerabilities. The HTML output remains equally safe in both versions - the icon class names are static strings with no user input involved, preventing XSS or injection attacks in either case. --- **Summary:** No security vulnerabilities were identified in this diff. The changes consist entirely of icon class name replacements with no security implications.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/shortcodes/stm_lms_single_course_carousel.php 2026-01-08 00:35:20.914846486 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/shortcodes/stm_lms_single_course_carousel.php 2026-01-08 00:38:02.276621026 +0000@@ -97,10 +97,10 @@ <?php if ( 'disable' !== $prev_next ) : ?> <div class="stm_lms_courses_carousel__buttons"> <div class="stm_lms_courses_carousel__button stm_lms_courses_carousel__button_prev sbc_h sbrc_h">- <i class="fa fa-chevron-left"></i>+ <i class="stmlms-chevron-left-2"></i> </div> <div class="stm_lms_courses_carousel__button stm_lms_courses_carousel__button_next sbc_h sbrc_h">- <i class="fa fa-chevron-right"></i>+ <i class="stmlms-chevron-right-2"></i> </div> </div> <?php endif; ?>
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no Explanation: This diff shows changes to CSS icon class names in a WordPress/PHP template file. The changes replace Font Awesome icon classes (`fa fa-chevron-left` and `fa fa-chevron-right`) with custom icon classes (`stmlms-chevron-left-2` and `stmlms-chevron-right-2`). This is a cosmetic/styling update with no security implications. The code: - Does not involve user input handling - Does not perform any data processing or validation - Does not access databases, files, or external resources - Does not have authentication or authorization logic - Simply changes which CSS classes are applied to icon elements There are no CWE-related vulnerabilities present in this change. This is purely a visual/UI update to use custom icons instead of Font Awesome icons.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/_core/stm-lms-templates/wizard/fields/pages.php 2026-01-08 00:35:20.962849384 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/_core/stm-lms-templates/wizard/fields/pages.php 2026-01-08 00:38:02.328624185 +0000@@ -31,8 +31,8 @@ <?php echo esc_attr( $page_key ); ?>: '<?php echo esc_html( $page ); ?>', <?php endforeach; ?> })">- <i class="fa fa-arrow-right" v-if="!loading_system_pages"></i>- <i class="fa fa-circle-notch" v-else></i>+ <i class="stmlms-arrow-right-2" v-if="!loading_system_pages"></i>+ <i class="stmlms-circle-notch" v-else></i> <span v-if="!loading_system_pages"> <?php echo esc_html( $btn_title ); ?> </span>
Vulnerability Existed: no No CWE - N/A - _core/stm-lms-templates/wizard/fields/pages.php Lines 34-35 Old Code: ``` <i class="fa fa-arrow-right" v-if="!loading_system_pages"></i> <i class="fa fa-circle-notch" v-else></i> ``` Fixed Code: ``` <i class="stmlms-arrow-right-2" v-if="!loading_system_pages"></i> <i class="stmlms-circle-notch" v-else></i> ``` Explanation: This diff shows a change from Font Awesome icon classes (`fa fa-arrow-right`, `fa fa-circle-notch`) to custom icon classes (`stmlms-arrow-right-2`, `stmlms-circle-notch`). This is a purely cosmetic/UI update with no security implications. The change does not involve: - Input validation or sanitization - Authentication or authorization logic - Data handling or processing - SQL queries or database operations - File operations or system calls - Sensitive information exposure The HTML output remains safe as the Vue.js template syntax and data escaping (`esc_attr`, `esc_html`) are unchanged. This is a legitimate icon library migration with no vulnerabilities present.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/assets/gutenberg/blocks/courses/presets/classic/index.asset.php 2026-01-08 00:35:15.734533748 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/assets/gutenberg/blocks/courses/presets/classic/index.asset.php 2026-01-08 00:37:48.343774754 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-data', 'wp-element', 'wp-i18n'), 'version' => '2a52c133adb6faa07c8c');+<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-data', 'wp-element', 'wp-i18n'), 'version' => '26fdd43a2ef470e07f80');
Vulnerability Existed: no
No CWE Vulnerability Identified
Old Code:
```php
<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-data', 'wp-element', 'wp-i18n'), 'version' => '2a52c133adb6faa07c8c');
```
Fixed Code:
```php
<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-data', 'wp-element', 'wp-i18n'), 'version' => '26fdd43a2ef470e07f80');
```
Explanation:
This diff shows only a version hash update in an asset manifest file (from `2a52c133adb6faa07c8c` to `26fdd43a2ef470e07f80`). The file contains metadata for a WordPress Gutenberg block asset with dependency declarations. The change is purely a cache-busting version string update with no modifications to code logic, dependencies, or security-relevant functionality. No security vulnerabilities are present in either version, and no security fixes are being applied—this is a routine version bump for asset management.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/assets/gutenberg/blocks/courses/presets/classic/view.asset.php 2026-01-08 00:35:15.742534231 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/assets/gutenberg/blocks/courses/presets/classic/view.asset.php 2026-01-08 00:37:48.555787629 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('wp-api-fetch', 'wp-i18n'), 'version' => 'dd19d52c7179254521b7');+<?php return array('dependencies' => array('wp-api-fetch', 'wp-i18n'), 'version' => 'cbc7ab54f65858d655a2');
I'll analyze the provided code diff for security vulnerabilities.
Vulnerability Existed: No
Cross-Site Scripting (XSS) / Injection - N/A - assets/gutenberg/blocks/courses/presets/classic/view.asset.php (line 1)
Old Code:
```php
<?php return array('dependencies' => array('wp-api-fetch', 'wp-i18n'), 'version' => 'dd19d52c7179254521b7');
```
Fixed Code:
```php
<?php return array('dependencies' => array('wp-api-fetch', 'wp-i18n'), 'version' => 'cbc7ab54f65858d655a2');
```
Explanation:
This diff contains only a version hash update from 'dd19d52c7179254521b7' to 'cbc7ab54f65858d655a2'. The file is a WordPress asset dependency manifest that returns a PHP array with static configuration values. No security vulnerability exists in either version. The change is a routine version bump (likely from 3.7.6 to 3.7.7) with no code logic modifications, input validation changes, or security-relevant alterations. The file structure, dependencies, and return values remain identical aside from the version identifier.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/assets/gutenberg/blocks/courses/presets/full-size-image/index.asset.php 2026-01-08 00:35:15.746534472 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/assets/gutenberg/blocks/courses/presets/full-size-image/index.asset.php 2026-01-08 00:37:48.615791273 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-data', 'wp-element', 'wp-i18n'), 'version' => 'a62706265ac7fca1076c');+<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-data', 'wp-element', 'wp-i18n'), 'version' => '5fc0d48209c9bf594203');
Vulnerability Existed: no Explanation: This diff shows a change to a PHP asset manifest file that only updates the version hash from `a62706265ac7fca1076c` to `5fc0d48209c9bf594203`. The dependencies array remains identical between versions. This is a routine build artifact update with no security implications: - No code logic changes - No new dependencies added or removed - No vulnerability fixes present - The version hash change simply reflects a rebuild of the same asset with potentially different build tooling or timestamps - Asset manifest files are configuration, not executable code with security concerns No security vulnerabilities were introduced or fixed in this change.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/assets/gutenberg/blocks/courses/presets/full-size-image/view.asset.php 2026-01-08 00:35:15.766535679 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/assets/gutenberg/blocks/courses/presets/full-size-image/view.asset.php 2026-01-08 00:37:48.707796860 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('wp-api-fetch', 'wp-i18n'), 'version' => '7dc0f198652aebe638bd');+<?php return array('dependencies' => array('wp-api-fetch', 'wp-i18n'), 'version' => '88b912acecf5399e94a6');
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no **Analysis:** This diff shows only a version hash change in a PHP asset file. The file is a WordPress asset manifest that declares dependencies and a version string for a Gutenberg block. **Change Details:** - File: `assets/gutenberg/blocks/courses/presets/full-size-image/view.asset.php` - Old version hash: `7dc0f198652aebe638bd` - New version hash: `88b912acecf5399e94a6` - Dependencies remain unchanged: `wp-api-fetch`, `wp-i18n` **Explanation:** This is a routine version update with no security implications. The diff contains: 1. No code logic changes 2. No new functions or methods 3. No modified dependencies 4. No vulnerability fixes or introductions Version hashes in asset files are typically generated during the build process and are used for cache-busting. Updating the hash alone does not introduce or fix security vulnerabilities. The structure and security posture of the code remain identical between versions. **Conclusion:** No vulnerabilities detected in this diff.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/assets/gutenberg/blocks/courses/presets/price-accent/index.asset.php 2026-01-08 00:35:15.770535920 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/assets/gutenberg/blocks/courses/presets/price-accent/index.asset.php 2026-01-08 00:37:48.783801475 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-data', 'wp-element', 'wp-i18n'), 'version' => 'fa84a76e67a07bdd9c2f');+<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-data', 'wp-element', 'wp-i18n'), 'version' => '072e76fd4e16f588ccf6');
``` Vulnerability Existed: no No Security Vulnerabilities Detected Explanation: This diff shows a change to a WordPress asset dependency file (index.asset.php) for a Gutenberg block. The only modification is updating the version hash from 'fa84a76e67a07bdd9c2f' to '072e76fd4e16f588ccf6'. This is a routine version bump that reflects changes in the compiled asset. The file structure remains identical - it's a simple PHP array return statement declaring dependencies and a version identifier. There are no changes to: - Dependency declarations - PHP code logic - Security-relevant configurations - Input handling or data processing Version hash updates in asset files are normal build artifacts and do not introduce or fix security vulnerabilities. ```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/assets/gutenberg/blocks/courses/presets/price-accent/view.asset.php 2026-01-08 00:35:15.782536645 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/assets/gutenberg/blocks/courses/presets/price-accent/view.asset.php 2026-01-08 00:37:49.059818237 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('wp-api-fetch', 'wp-i18n'), 'version' => 'e464d3d3a74fe579b40c');+<?php return array('dependencies' => array('wp-api-fetch', 'wp-i18n'), 'version' => '15ac1920845da9cf6e2b');
Vulnerability Existed: no
No CWE Identified - N/A - assets/gutenberg/blocks/courses/presets/price-accent/view.asset.php [1]
Old Code:
```php
<?php return array('dependencies' => array('wp-api-fetch', 'wp-i18n'), 'version' => 'e464d3d3a74fe579b40c');
```
Fixed Code:
```php
<?php return array('dependencies' => array('wp-api-fetch', 'wp-i18n'), 'version' => '15ac1920845da9cf6e2b');
```
Explanation:
This diff only changes the version hash from 'e464d3d3a74fe579b40c' to '15ac1920845da9cf6e2b'. This is a routine asset versioning update (likely a cache-busting mechanism for WordPress Gutenberg blocks). The file structure, dependencies declaration, and overall logic remain identical. Updating version hashes does not introduce or fix security vulnerabilities—it's a normal part of the build/release process. No security-relevant code changes are present in this diff.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/includes/Http/Controllers/Course/CourseTemplate/CreateCourseTemplateController.php 2026-01-08 00:35:21.078856388 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/includes/Http/Controllers/Course/CourseTemplate/CreateCourseTemplateController.php 2026-01-08 00:38:02.480633420 +0000@@ -11,6 +11,16 @@ public function __invoke( WP_REST_Request $request ): \WP_REST_Response { $data = $request->get_json_params(); + if ( ! current_user_can( 'edit_posts' ) ) {+ return new \WP_REST_Response(+ array(+ 'error_code' => 'create_template_access_error',+ 'message' => esc_html__( 'You do not have permission to create course templates.', 'masterstudy-lms-learning-management-system' ),+ ),+ 403+ );+ }+ if ( empty( $data['title'] ) ) { return WpResponseFactory::validation_failed( 'Missing title' ); }
I'll analyze this code diff for security vulnerabilities.
Vulnerability Existed: yes
TRUE POSITIVE
[CWE Name] CWE-284: Improper Access Control - [CWE ID] 284 - [File] includes/Http/Controllers/Course/CourseTemplate/CreateCourseTemplateController.php [Lines 14-22]
[Old Code]
```php
public function __invoke( WP_REST_Request $request ): \WP_REST_Response {
$data = $request->get_json_params();
if ( empty( $data['title'] ) ) {
return WpResponseFactory::validation_failed( 'Missing title' );
}
```
[Fixed Code]
```php
public function __invoke( WP_REST_Request $request ): \WP_REST_Response {
$data = $request->get_json_params();
if ( ! current_user_can( 'edit_posts' ) ) {
return new \WP_REST_Response(
array(
'error_code' => 'create_template_access_error',
'message' => esc_html__( 'You do not have permission to create course templates.', 'masterstudy-lms-learning-management-system' ),
),
403
);
}
if ( empty( $data['title'] ) ) {
return WpResponseFactory::validation_failed( 'Missing title' );
}
```
Explanation:
The vulnerability was an **Improper Access Control** (CWE-284) issue. The original code was missing authorization checks before processing the REST API request to create course templates. Any authenticated user could create course templates without verifying they had the necessary permissions. The fix adds a capability check using `current_user_can( 'edit_posts' )` at the beginning of the function, returning a 403 Forbidden response if the user lacks the required capability. This prevents unauthorized users from accessing this sensitive endpoint.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/includes/Http/Controllers/Course/CourseTemplate/DeleteCourseTemplateController.php 2026-01-08 00:35:21.082856630 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/includes/Http/Controllers/Course/CourseTemplate/DeleteCourseTemplateController.php 2026-01-08 00:38:02.484633663 +0000@@ -8,6 +8,16 @@ class DeleteCourseTemplateController { public function __invoke( int $template_id ) {+ if ( ! current_user_can( 'delete_post', $template_id ) ) {+ return new \WP_REST_Response(+ array(+ 'error_code' => 'delete_template_access_error',+ esc_html__( 'You do not have permission to delete course templates.', 'masterstudy-lms-learning-management-system' ),+ ),+ 403+ );+ }+ $result = ( new CourseTemplateRepository() )->delete( $template_id ); if ( ! $result ) {
Vulnerability Existed: yes
FALSE POSITIVE
Improper Access Control / Authorization - CWE-639 - DeleteCourseTemplateController.php lines 10-19 (added)
Old Code:
```php
public function __invoke( int $template_id ) {
$result = ( new CourseTemplateRepository() )->delete( $template_id );
```
Fixed Code:
```php
public function __invoke( int $template_id ) {
if ( ! current_user_can( 'delete_post', $template_id ) ) {
return new \WP_REST_Response(
array(
'error_code' => 'delete_template_access_error',
esc_html__( 'You do not have permission to delete course templates.', 'masterstudy-lms-learning-management-system' ),
),
403
);
}
$result = ( new CourseTemplateRepository() )->delete( $template_id );
```
Explanation:
The original code allowed any user to delete course templates without permission checks. The fix adds a proper authorization check using WordPress's `current_user_can()` function to verify the user has the 'delete_post' capability for the specific template before allowing deletion. This prevents unauthorized users from deleting course templates they shouldn't have access to, directly addressing an access control vulnerability. The fix also returns an appropriate 403 Forbidden HTTP status code with a user-friendly error message when access is denied.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/includes/Http/Controllers/Course/CourseTemplate/ModifyCourseTemplateController.php 2026-01-08 00:35:21.086856871 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/includes/Http/Controllers/Course/CourseTemplate/ModifyCourseTemplateController.php 2026-01-08 00:38:02.488633906 +0000@@ -23,6 +23,17 @@ } $data = $request->get_json_params();++ if ( ! current_user_can( 'edit_post', $data['post_id'] ) ) {+ return new \WP_REST_Response(+ array(+ 'error_code' => 'modify_template_access_error',+ esc_html__( 'You do not have permission to update course templates.', 'masterstudy-lms-learning-management-system' ),+ ),+ 403+ );+ }+ $result = ( new CourseTemplateRepository() )->modify_template( $data['title'], $data['post_id'] ); if ( ! $result ) {
```
Vulnerability Existed: yes
TRUE POSITIVE
Broken Access Control (Authorization) - CWE-639 - includes/Http/Controllers/Course/CourseTemplate/ModifyCourseTemplateController.php Lines 26-35
Old Code:
$data = $request->get_json_params();
$result = ( new CourseTemplateRepository() )->modify_template( $data['title'], $data['post_id'] );
Fixed Code:
$data = $request->get_json_params();
if ( ! current_user_can( 'edit_post', $data['post_id'] ) ) {
return new \WP_REST_Response(
array(
'error_code' => 'modify_template_access_error',
esc_html__( 'You do not have permission to update course templates.', 'masterstudy-lms-learning-management-system' ),
),
403
);
}
$result = ( new CourseTemplateRepository() )->modify_template( $data['title'], $data['post_id'] );
Explanation:
The original code was vulnerable to broken access control (authorization bypass). It accepted a `post_id` parameter from user input and directly passed it to `modify_template()` without verifying that the current user has permission to edit that specific post. This allowed an authenticated attacker to modify course templates they should not have access to by simply providing a `post_id` of another user's template.
The fix adds a proper authorization check using WordPress's `current_user_can( 'edit_post', $data['post_id'] )` function before processing the request. This ensures only users with the appropriate capabilities can modify the specified post, returning a 403 Forbidden response for unauthorized access attempts.
```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/includes/Http/Controllers/Course/CourseTemplate/UpdateCourseTemplateController.php 2026-01-08 00:35:21.086856871 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/includes/Http/Controllers/Course/CourseTemplate/UpdateCourseTemplateController.php 2026-01-08 00:38:02.492634149 +0000@@ -24,6 +24,16 @@ $data = $request->get_json_params(); + if ( ! current_user_can( 'manage_options' ) ) {+ return new \WP_REST_Response(+ array(+ 'error_code' => 'modify_template_access_error',+ esc_html__( 'You do not have permission to update course templates.', 'masterstudy-lms-learning-management-system' ),+ ),+ 403+ );+ }+ $result = ( new CourseTemplateRepository() )->update( $data['course_style'] ); if ( ! $result ) {
```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Access Control - CWE-284 - includes/Http/Controllers/Course/CourseTemplate/UpdateCourseTemplateController.php - Lines 27-35
Old Code:
$data = $request->get_json_params();
$result = ( new CourseTemplateRepository() )->update( $data['course_style'] );
Fixed Code:
$data = $request->get_json_params();
if ( ! current_user_can( 'manage_options' ) ) {
return new \WP_REST_Response(
array(
'error_code' => 'modify_template_access_error',
esc_html__( 'You do not have permission to update course templates.', 'masterstudy-lms-learning-management-system' ),
),
403
);
}
$result = ( new CourseTemplateRepository() )->update( $data['course_style'] );
Explanation:
The original code was missing authorization checks before allowing course template updates. Any authenticated user could potentially modify course templates by directly calling this endpoint, regardless of their role or permissions. The fix adds a capability check using `current_user_can( 'manage_options' )` to ensure only administrators can update course templates, returning a 403 Forbidden response for unauthorized users. This prevents privilege escalation and unauthorized modification of critical course configuration.
```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/includes/Http/Controllers/Media/DeleteController.php 2026-01-08 00:35:21.130859528 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/includes/Http/Controllers/Media/DeleteController.php 2026-01-08 00:38:02.592640225 +0000@@ -14,6 +14,16 @@ ); } + if ( ! current_user_can( 'delete_post', $media_id ) ) {+ return new \WP_REST_Response(+ array(+ 'error_code' => 'delete_media_access_error',+ 'message' => esc_html__( 'You do not have permission to delete this template', 'masterstudy-lms-learning-management-system' ),+ ),+ 403+ );+ }+ return new \WP_REST_Response( array( 'status' => (bool) wp_delete_attachment( $media_id ),
I'll analyze this security diff for you.
```
Vulnerability Existed: yes
TRUE POSITIVE
Broken Access Control (Missing Authorization Check) - CWE-276 - includes/Http/Controllers/Media/DeleteController.php Lines 17-25
Old Code:
if ( ! isset( $media_id ) ) {
return new \WP_REST_Response(
array(
'error_code' => 'media_id_missing',
'message' => esc_html__( 'Media ID is required', 'masterstudy-lms-learning-management-system' ),
),
400
);
}
return new \WP_REST_Response(
array(
'status' => (bool) wp_delete_attachment( $media_id ),
Fixed Code:
if ( ! isset( $media_id ) ) {
return new \WP_REST_Response(
array(
'error_code' => 'media_id_missing',
'message' => esc_html__( 'Media ID is required', 'masterstudy-lms-learning-management-system' ),
),
400
);
}
if ( ! current_user_can( 'delete_post', $media_id ) ) {
return new \WP_REST_Response(
array(
'error_code' => 'delete_media_access_error',
'message' => esc_html__( 'You do not have permission to delete this template', 'masterstudy-lms-learning-management-system' ),
),
403
);
}
return new \WP_REST_Response(
array(
'status' => (bool) wp_delete_attachment( $media_id ),
Explanation:
The original code performed media deletion without verifying user permissions. The controller validated that a media_id was present but proceeded directly to delete the attachment using `wp_delete_attachment()` without checking if the current user had authorization to delete that specific post/media. This is a classic authorization bypass vulnerability (CWE-276). The fix introduces a `current_user_can( 'delete_post', $media_id )` check that validates the user has the required capabilities before allowing deletion, returning a 403 Forbidden response if the user lacks permission.
```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/includes/Http/Controllers/Media/UploadController.php 2026-01-08 00:35:21.130859528 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/includes/Http/Controllers/Media/UploadController.php 2026-01-08 00:38:02.592640225 +0000@@ -8,6 +8,16 @@ class UploadController { public function __invoke( WP_REST_Request $request ) {+ if ( ! current_user_can( 'upload_files' ) ) {+ return new \WP_REST_Response(+ array(+ 'error_code' => 'media_upload_access_error',+ 'message' => esc_html__( 'You do not have permission to upload media files.', 'masterstudy-lms-learning-management-system' ),+ ),+ 403+ );+ }+ $extensions = implode( ';', array_keys( apply_filters( 'upload_mimes', Media::MIMES ) ) ); $validator = new Validator( $request->get_file_params(),
Vulnerability Existed: yes
TRUE POSITIVE
Broken Access Control - CWE-639 - includes/Http/Controllers/Media/UploadController.php - Lines 10-19
Old Code:
```php
public function __invoke( WP_REST_Request $request ) {
$extensions = implode( ';', array_keys( apply_filters( 'upload_mimes', Media::MIMES ) ) );
```
Fixed Code:
```php
public function __invoke( WP_REST_Request $request ) {
if ( ! current_user_can( 'upload_files' ) ) {
return new \WP_REST_Response(
array(
'error_code' => 'media_upload_access_error',
'message' => esc_html__( 'You do not have permission to upload media files.', 'masterstudy-lms-learning-management-system' ),
),
403
);
}
$extensions = implode( ';', array_keys( apply_filters( 'upload_mimes', Media::MIMES ) ) );
```
Explanation:
The original code lacked authorization checks on the media upload endpoint. Any authenticated user could potentially upload files without proper permission validation. The fix adds a `current_user_can( 'upload_files' )` check that returns a 403 Forbidden response if the user lacks the required capability. This prevents unauthorized file uploads and properly enforces WordPress's role-based access control system. The fix also provides a clear error message using proper escaping (`esc_html__`), following WordPress security best practices.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/includes/Http/Controllers/Media/UploadFromUrlController.php 2026-01-08 00:35:21.134859770 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/includes/Http/Controllers/Media/UploadFromUrlController.php 2026-01-08 00:38:02.596640468 +0000@@ -10,6 +10,16 @@ final class UploadFromUrlController { public function __invoke( WP_REST_Request $request ): WP_REST_Response {+ if ( ! current_user_can( 'upload_files' ) ) {+ return new \WP_REST_Response(+ array(+ 'error_code' => 'delete_media_access_error',+ 'message' => esc_html__( 'You do not have permission to upload media files.', 'masterstudy-lms-learning-management-system' ),+ ),+ 403+ );+ }+ $validator = new Validator( $request->get_params(), array(
```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Access Control - CWE-284 - includes/Http/Controllers/Media/UploadFromUrlController.php - Lines 13-16
Old Code:
public function __invoke( WP_REST_Request $request ): WP_REST_Response {
$validator = new Validator(
$request->get_params(),
Fixed Code:
public function __invoke( WP_REST_Request $request ): WP_REST_Response {
if ( ! current_user_can( 'upload_files' ) ) {
return new \WP_REST_Response(
array(
'error_code' => 'delete_media_access_error',
'message' => esc_html__( 'You do not have permission to upload media files.', 'masterstudy-lms-learning-management-system' ),
),
403
);
}
Explanation:
The original code was missing authorization checks before processing media file uploads via the REST API endpoint. An unauthenticated or unauthorized user could invoke the controller and attempt to upload files without the 'upload_files' capability. The fix adds a capability check using WordPress's `current_user_can()` function at the start of the request handler, returning a 403 Forbidden response if the user lacks the required permission. This prevents unauthorized file uploads and addresses the improper access control vulnerability (CWE-284).
```
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/includes/Plugin/Addons.php 2026-01-08 00:35:21.234865809 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/includes/Plugin/Addons.php 2026-01-08 00:38:02.728648488 +0000@@ -78,7 +78,7 @@ } public static function list(): array {- return array(+ $addons_list = array( self::CERTIFICATE_BUILDER => array( 'name' => esc_html__( 'Certificate Builder', 'masterstudy-lms-learning-management-system' ), 'url' => esc_url( STM_LMS_URL . 'assets/addons/certtificate_builder.png' ),@@ -298,14 +298,6 @@ 'pro_url' => 'https://stylemixthemes.com/wordpress-lms-plugin/pricing/?utm_source=wpadmin&utm_medium=ms-gclassroom&utm_campaign=masterstudy-plugin&licenses=1&billing_cycle=annual', 'documentation' => 'google-classroom', ),- self::UDEMY => array(- 'name' => esc_html__( 'Udemy Importer', 'masterstudy-lms-learning-management-system' ),- 'url' => esc_url( STM_LMS_URL . 'assets/addons/udemy.png' ),- 'settings' => admin_url( 'admin.php?page=stm-lms-udemy-settings' ),- 'description' => esc_html__( 'Import courses from Udemy and display them on your website. Enrich your course catalog and earn affiliate commissions.', 'masterstudy-lms-learning-management-system' ),- 'pro_url' => 'https://stylemixthemes.com/wordpress-lms-plugin/pricing/?utm_source=wpadmin&utm_medium=ms-udemy&utm_campaign=masterstudy-plugin&licenses=1&billing_cycle=annual',- 'documentation' => 'udemy-course-importer',- ), self::ONLINE_TESTING => array( 'name' => esc_html__( 'Online Testing', 'masterstudy-lms-learning-management-system' ), 'url' => esc_url( STM_LMS_URL . 'assets/addons/mst.png' ),@@ -315,5 +307,25 @@ 'documentation' => 'online-testing', ), );++ $udemy_visible = get_option( 'ms_lms_udemy_visible', false );++ if ( ! $udemy_visible && is_ms_lms_addon_enabled( self::UDEMY ) ) {+ $udemy_visible = true;+ update_option( 'ms_lms_udemy_visible', 1 );+ }++ if ( $udemy_visible ) {+ $addons_list[ self::UDEMY ] = array(+ 'name' => esc_html__( 'Udemy Importer', 'masterstudy-lms-learning-management-system' ),+ 'url' => esc_url( STM_LMS_URL . 'assets/addons/udemy.png' ),+ 'settings' => admin_url( 'admin.php?page=stm-lms-udemy-settings' ),+ 'description' => esc_html__( 'Import courses from Udemy and display them on your website. Enrich your course catalog and earn affiliate commissions.', 'masterstudy-lms-learning-management-system' ),+ 'pro_url' => 'https://stylemixthemes.com/wordpress-lms-plugin/pricing/?utm_source=wpadmin&utm_medium=ms-udemy&utm_campaign=masterstudy-plugin&licenses=1&billing_cycle=annual',+ 'documentation' => 'udemy-course-importer',+ );+ }++ return $addons_list; } }
Vulnerability Existed: not sure
CWE-434 (Unrestricted Upload of File with Dangerous Type) / CWE-639 (Authorization Bypass Through User-Controlled Key) - includes/Plugin/Addons.php - Lines 310-327
[Old Code]
```
return array(
// ... addons list with UDEMY always included
);
```
[Fixed Code]
```
$addons_list = array(
// ... addons list WITHOUT UDEMY
);
$udemy_visible = get_option( 'ms_lms_udemy_visible', false );
if ( ! $udemy_visible && is_ms_lms_addon_enabled( self::UDEMY ) ) {
$udemy_visible = true;
update_option( 'ms_lms_udemy_visible', 1 );
}
if ( $udemy_visible ) {
$addons_list[ self::UDEMY ] = array( /* ... */ );
}
return $addons_list;
```
Explanation:
The change refactors the UDEMY addon from being statically included in the addons list to being conditionally added based on a WordPress option (`ms_lms_udemy_visible`). This appears to be an access control modification rather than fixing an inherent code vulnerability. The potential security concern would depend on:
1. **If this fixes a vulnerability**: The original code may have exposed the UDEMY addon to unauthorized users who shouldn't see it. The fix restricts visibility based on an option and addon enablement check (`is_ms_lms_addon_enabled`).
2. **If this introduces a vulnerability**: The new code reads/writes WordPress options without apparent capability checks. If `update_option()` can be called by low-privilege users, this could allow unauthorized addon visibility manipulation via CWE-639 (Authorization Bypass). However, WordPress typically protects `update_option()` at the capability level.
3. **Uncertainty**: Without seeing the `is_ms_lms_addon_enabled()` function implementation and capability context, it's unclear if this is a security fix or introduces a new authorization bypass vector. The fix appears intentional (conditional addon display), but the security posture depends on proper capability checks in the calling context.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/includes/routes.php 2026-01-08 00:35:21.314870639 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/includes/routes.php 2026-01-08 00:38:02.828654564 +0000@@ -395,6 +395,7 @@ array( 'middleware' => array( \MasterStudy\Lms\Routing\Middleware\Authentication::class,+ \MasterStudy\Lms\Routing\Middleware\Instructor::class, ), 'prefix' => '/course-templates', ),
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Request Forgery (CSRF) / Unauthorized Access - CWE-352 / CWE-863 - includes/routes.php Lines 395-399
Old Code:
```php
array(
'middleware' => array(
\MasterStudy\Lms\Routing\Middleware\Authentication::class,
),
'prefix' => '/course-templates',
),
```
Fixed Code:
```php
array(
'middleware' => array(
\MasterStudy\Lms\Routing\Middleware\Authentication::class,
\MasterStudy\Lms\Routing\Middleware\Instructor::class,
),
'prefix' => '/course-templates',
),
```
Explanation:
The `/course-templates` route previously only enforced authentication via the `Authentication` middleware. The addition of the `Instructor` middleware implements role-based access control (RBAC), restricting access to users with instructor privileges. Without this middleware, any authenticated user could access course template functionality regardless of their role, which is a privilege escalation vulnerability (CWE-863: Incorrect Authorization). The fix ensures that only instructors can access the `/course-templates` endpoint, preventing unauthorized users from modifying or viewing instructor-only resources.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
--- cache/masterstudy-lms-learning-management-system_3.7.6/masterstudy-lms-learning-management-system.php 2026-01-08 00:35:21.726895517 +0000+++ cache/masterstudy-lms-learning-management-system_3.7.7/masterstudy-lms-learning-management-system.php 2026-01-08 00:38:03.732709490 +0000@@ -7,7 +7,7 @@ * Author: StylemixThemes * Author URI: https://stylemixthemes.com/ * Text Domain: masterstudy-lms-learning-management-system- * Version: 3.7.6+ * Version: 3.7.7 * Masterstudy LMS Pro tested up to: 4.8 */ @@ -15,7 +15,7 @@ exit; // Exit if accessed directly } -define( 'MS_LMS_VERSION', '3.7.6' );+define( 'MS_LMS_VERSION', '3.7.7' ); define( 'MS_LMS_FILE', __FILE__ ); define( 'MS_LMS_PATH', dirname( MS_LMS_FILE ) ); define( 'MS_LMS_URL', plugin_dir_url( MS_LMS_FILE ) );
I've analyzed the provided code diff for the masterstudy-lms-learning-management-system.php file. **Analysis Result:** Vulnerability Existed: no **Explanation:** This diff contains only version number updates from 3.7.6 to 3.7.7 in two locations: 1. The plugin header comment (line 10) 2. The MS_LMS_VERSION constant definition (line 18) These are cosmetic changes that update version identifiers and do not introduce, fix, or relate to any security vulnerabilities. Version bumps themselves are not security-related changes unless they're accompanied by actual code modifications that address vulnerabilities. No security issues are present in this diff.
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates