Description
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.
Published: 2026-01-21
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Account Takeover
Action: Patch Immediately
AI Analysis

Impact

The Academy LMS plugin for WordPress is vulnerable because it fails to verify the identity of a user before allowing a password change, relying only on a publicly exposed nonce. The flaw is a CWE‑639 authorization bypass vulnerability. This flaw lets an attacker set any user’s password without authentication, enabling administrators and other privileged accounts to be hijacked. The weakness directly compromises both confidentiality and integrity of user accounts and can lead to full system compromise if an attacker gains access to an administrator profile.

Affected Systems

The vulnerability affects all releases of the Academy LMS – WordPress LMS Plugin for Complete eLearning Solution up to and including version 3.5.0 distributed by kodezen. Any WordPress site currently running one of these versions is susceptible.

Risk and Exploitability

With a CVSS score of 9.8 the issue is considered critical. The EPSS score of less than 1% indicates that exploitation is unlikely but not impossible, and the weakness is not currently listed in the CISA KEV catalog. The likely attack path involves sending an unauthenticated HTTP request to the password‑reset endpoint, where the plugin accepts the nonce and changes the target user’s password. Once access is gained, further privilege escalation or data exfiltration may follow.

Generated by OpenCVE AI on April 21, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Academy LMS plugin to the latest release that contains proper authentication checks before allowing a password change.
  • If an update cannot be performed immediately, restrict access to the password‑update endpoint so that only authenticated administrators can send requests, for example by adding role‑based access controls or CSRF protections.
  • Monitor system logs for unusual password change events and enforce multi‑factor authentication for all administrator accounts to reduce the impact of any future credential compromise.

Generated by OpenCVE AI on April 21, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 21 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Kodezen
Kodezen academy Lms
Wordpress
Wordpress wordpress
Vendors & Products Kodezen
Kodezen academy Lms
Wordpress
Wordpress wordpress

Wed, 21 Jan 2026 02:00:00 +0000

Type Values Removed Values Added
Description The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.
Title Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.5.0 - Unauthenticated Privilege Escalation via Account Takeover
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Kodezen Academy Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:00.512Z

Reserved: 2026-01-14T15:32:20.670Z

Link: CVE-2025-15521

cve-icon Vulnrichment

Updated: 2026-01-21T15:31:49.310Z

cve-icon NVD

Status : Deferred

Published: 2026-01-21T02:15:48.363

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:00:03Z

Weaknesses