Description
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to '__return_true', allowing unauthenticated access to course curriculum data without verifying the course's post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs.
Published: 2026-07-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Academy LMS WordPress plugin registers its '/topics' REST API endpoint with a permission callback that always returns true. As a result, the endpoint does not verify the course's post status or whether the requestor is enrolled. An unauthenticated attacker can therefore enumerate course IDs and retrieve detailed curriculum information for private, draft, scheduled, or password-protected courses. This flaw permits the disclosure of sensitive educational content, potentially violating privacy, leaking proprietary curriculum, and compromising intellectual property rights.

Affected Systems

The vulnerability affects the Academy LMS – WordPress LMS Plugin for Complete eLearning Solution, developed by kodezen, in all versions up to and including 3.8.1. Sites running any of these versions and exposing the REST API are susceptible.

Risk and Exploitability

With a CVSS base score of 5.3, the vulnerability is considered moderate in severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Exploitation requires only unauthenticated HTTP GET requests to the vulnerable REST endpoint, making it straightforward for attackers to enumerate and retrieve private course data without traditional privilege escalation. The attack vector is network‑based, relying on the publicly accessible REST API.

Generated by OpenCVE AI on July 2, 2026 at 12:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Academy LMS plugin to any version newer than 3.8.1, where the permission callback for the '/topics' endpoint has been corrected.
  • If an update cannot be applied immediately, add a WordPress code snippet that changes the permission callback for the '/topics' route to enforce authentication or restrict access to enrolled users, thereby preventing unauthenticated enumeration.
  • Configure the WordPress REST API to require authentication for privileged endpoints or apply a global access control policy, reducing the risk of similar insecure direct object references in future releases.

Generated by OpenCVE AI on July 2, 2026 at 12:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to '__return_true', allowing unauthenticated access to course curriculum data without verifying the course's post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs.
Title Academy LMS <= 3.8.1 - Unauthenticated Insecure Direct Object Reference to Private Topic Disclosure
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-02T14:52:06.995Z

Reserved: 2026-04-01T16:39:04.047Z

Link: CVE-2026-5348

cve-icon Vulnrichment

Updated: 2026-07-02T14:51:12.519Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T12:15:04Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key