AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-8653: The MasterStudy LMS Pro Plus plugin for WordPress is vulnerable to generic SQL Injection via the 'columns' parameter in

mediumvulnerability

security

Source: NVD/CVE DatabaseJune 3, 2026CVE-2026-8653

Summary

The MasterStudy LMS Pro Plus plugin for WordPress has a SQL injection vulnerability (a weakness that lets attackers insert malicious database commands) in the 'columns' parameter affecting all versions up to 4.8.20. Attackers with instructor-level access or higher can exploit this due to insufficient escaping (failing to neutralize special characters) and lack of prepared statements (a safer way to build database queries) to extract sensitive data from the database.

Vulnerability Details

CVSS Score

6.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

low

User Interaction

none

Disclosure Date

June 3, 2026

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-89

CAPEC (Attack Pattern)

CAPEC-66

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-8653

First tracked: June 4, 2026 at 02:02 AM

Classified by LLM (prompt v3) · confidence: 95%