Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kodezen LLC Academy LMS academy allows Stored XSS.This issue affects Academy LMS: from n/a through <= 3.4.0.
Published: 2025-12-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An injected script can execute in the browsers of users viewing the affected content, enabling attackers to hijack sessions, deface pages, or load additional malicious resources. This weakness is classified as CWE‑79 and permits a broad range of client‑side attacks that compromise confidentiality, integrity, and the user experience.

Affected Systems

The vulnerability exists in the Academy LMS plugin from Kodezen LLC for WordPress with versions up through 3.4.0. No other versions have been reported as affected, and the plugin’s versioning scheme indicates that fixes are expected in newer releases.

Risk and Exploitability

The CVSS score of 6.5 places the issue in the medium severity range, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would require an attacker to inject malicious markup into fields that are stored and later rendered, and a victim must view that content for the script to run. No external authentication prerequisites are listed, but the lack of details means the full attack surface cannot be precisely defined.

Generated by OpenCVE AI on April 29, 2026 at 15:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Academy LMS plugin to the latest version that patches the XSS issue.
  • If an upgrade is not feasible, disable or uninstall the plugin until a fix becomes available.
  • In the interim, apply a web‑application firewall rule that blocks or sanitizes user input containing script tags.

Generated by OpenCVE AI on April 29, 2026 at 15:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 29 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Kodezen
Kodezen academy Lms
Wordpress
Wordpress wordpress
Vendors & Products Kodezen
Kodezen academy Lms
Wordpress
Wordpress wordpress

Wed, 24 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Dec 2025 12:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kodezen LLC Academy LMS academy allows Stored XSS.This issue affects Academy LMS: from n/a through <= 3.4.0.
Title WordPress Academy LMS plugin <= 3.4.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Kodezen Academy Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:29.593Z

Reserved: 2025-12-19T10:17:03.706Z

Link: CVE-2025-68527

cve-icon Vulnrichment

Updated: 2025-12-24T19:08:28.715Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T13:16:22.117

Modified: 2026-04-27T19:16:28.147

Link: CVE-2025-68527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:45:14Z

Weaknesses