Description
Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server.

This issue affects Academy LMS Pro: from n/a before 3.5.2.
Published: 2026-06-16
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unrestricted upload of dangerous file types, allowing an attacker to place a web shell onto the web server. This represents a severe security flaw because it gives the attacker the ability to execute arbitrary code, potentially leading to full system compromise. The weakness is classified as CWE‑434. The impact is therefore catastrophic, enabling attackers to gain remote code execution and effectively control the compromised site.

Affected Systems

The affected system is the Academy LMS Pro plugin developed by Kodezen LLC. Any installation of the plugin that is older than version 3.5.2 is vulnerable. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score is 8, indicating high severity. The EPSS score is less than 1 %, suggesting that exploitation in the wild is low but not impossible. The vulnerability is not listed in the CISA KEV catalog. The attack is inferred to require authentication with file‑upload privileges—likely an administrator or user with permission to add resources—though the description does not explicitly state the exact prerequisites. If the attacker can perform the upload, the server will accept the file and the web shell can be invoked. No public exploits are identified in the provided data, but the severe nature of the flaw demands prompt action.

Generated by OpenCVE AI on June 17, 2026 at 22:08 UTC.

Remediation

Vendor Solution

Update the WordPress Academy LMS Pro Plugin to the latest available version (at least 3.5.2).


OpenCVE Recommended Actions

  • Update the Academy LMS Pro plugin to version 3.5.2 or later, as recommended by the vendor
  • Restrict file‑upload capabilities to administrators or other trusted roles only
  • Enforce strict MIME type validation on the server to reject dangerous file extensions

Generated by OpenCVE AI on June 17, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Kodezen
Kodezen academy Lms
Wordpress
Wordpress wordpress
Vendors & Products Kodezen
Kodezen academy Lms
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server. This issue affects Academy LMS Pro: from n/a before 3.5.2.
Title WordPress Academy LMS Pro plugin < 3.5.2 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Kodezen Academy Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:35:55.123Z

Reserved: 2026-04-07T10:48:50.116Z

Link: CVE-2026-39598

cve-icon Vulnrichment

Updated: 2026-06-17T10:35:50.000Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:45:16Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type