CVE-2025-54744: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-54744) was discovered in Stylemix MasterStudy LMS WordPress plugin affecting versions up to and including 3.6.15. The vulnerability was disclosed on September 3, 2025, and involves incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Missing Authorization (CWE-862) issue with a CVSS v3.1 base score of 6.5 (Medium). The attack vector is Network-based (AV:N) with Low attack complexity (AC:L), requiring Low privileges (PR:L) and No user interaction (UI:N). The scope is Unchanged (S:U) with No impact on confidentiality (C:N), High impact on integrity (I:H), and No impact on availability (A:N) (NVD, Rapid7).

The vulnerability allows authenticated attackers with Subscriber-level access and above to perform unauthorized actions. This represents a significant integrity risk as attackers can execute actions beyond their intended privilege level (Rapid7).

As of the disclosure date, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available (Patchstack).