The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content.
Masteriyo LMS <= 2.1.7 - Unauthenticated Authorization Bypass to Arbitrary Order Completion via Stripe Webhook Endpoint
Problem type
Affected products
masteriyo
<= 2.1.7 - AFFECTED
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/b6d51dc3-b695-4e9d-b25a-d1b302be1fec?source=cve
https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L563-639
https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L563-639
https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L649-704
https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L649-704
https://plugins.trac.wordpress.org/changeset/3499458/learning-management-system/trunk/addons/stripe/StripeAddon.php
GitHub Security Advisories
GHSA-v3v2-w9v8-q7h6
The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is...
https://github.com/advisories/GHSA-v3v2-w9v8-q7h6The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content.
https://nvd.nist.gov/vuln/detail/CVE-2026-5167
https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L563-639
https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L649-704
https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L563-639
https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L649-704
https://plugins.trac.wordpress.org/changeset/3499458/learning-management-system/trunk/addons/stripe/StripeAddon.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/b6d51dc3-b695-4e9d-b25a-d1b302be1fec?source=cve
https://github.com/advisories/GHSA-v3v2-w9v8-q7h6
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-5167Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-5167",
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"dateUpdated": "2026-04-08T06:43:41.319Z",
"dateReserved": "2026-03-30T15:04:11.752Z",
"datePublished": "2026-04-08T06:43:41.319Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence",
"dateUpdated": "2026-04-08T06:43:41.319Z"
},
"title": "Masteriyo LMS <= 2.1.7 - Unauthenticated Authorization Bypass to Arbitrary Order Completion via Stripe Webhook Endpoint",
"descriptions": [
{
"lang": "en",
"value": "The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id values in the metadata, mark any order as completed without payment, and gain unauthorized access to paid course content."
}
],
"affected": [
{
"vendor": "masteriyo",
"product": "Masteriyo LMS – Online Course Builder for eLearning, LMS & Education",
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "2.1.7"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"cweId": "CWE-639",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6d51dc3-b695-4e9d-b25a-d1b302be1fec?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L563-639"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L563-639"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/trunk/addons/stripe/StripeAddon.php#L649-704"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learning-management-system/tags/2.1.4/addons/stripe/StripeAddon.php#L649-704"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3499458/learning-management-system/trunk/addons/stripe/StripeAddon.php"
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"baseScore": 5.3,
"baseSeverity": "MEDIUM"
}
}
],
"timeline": [
{
"time": "2026-03-30T15:19:24.000Z",
"lang": "en",
"value": "Vendor Notified"
},
{
"time": "2026-04-07T17:55:41.000Z",
"lang": "en",
"value": "Disclosed"
}
],
"credits": [
{
"lang": "en",
"value": "Md. Moniruzzaman Prodhan",
"type": "finder"
}
]
}
}
}