CVE-2025-54699: 
WordPress vulnerability analysis and mitigation

The Masteriyo - LMS plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-54699) affecting versions up to and including 1.18.3. The vulnerability was discovered by Denver Jackson and was publicly disclosed on July 30, 2025. This security issue affects the WordPress plugin's input handling mechanisms (Rapid7, Patchstack).

The vulnerability stems from insufficient input sanitization and output escaping in the Masteriyo - LMS plugin. It has been assigned a CVSS score of 6.4-6.5 (Medium severity). The technical assessment indicates that the vulnerability allows for the injection of arbitrary web scripts that execute when users access affected pages (Rapid7, Patchstack).

The vulnerability enables authenticated attackers with contributor-level access or higher to inject malicious scripts into web pages. These scripts can potentially be used to insert redirects, advertisements, and other HTML payloads that execute when visitors access the affected pages. The impact is classified under the OWASP Top 10 category A3: Injection (Patchstack).

The vulnerability has been patched in version 1.18.4 of the Masteriyo - LMS plugin. Site administrators are advised to update to version 1.18.4 or later to remove the vulnerability. For additional protection, Patchstack users can enable auto-update functionality for vulnerable plugins (Patchstack).