Impact
The Academy LMS WordPress plugin registers its '/topics' REST API endpoint with a permission callback that always returns true. As a result, the endpoint does not verify the course's post status or whether the requestor is enrolled. An unauthenticated attacker can therefore enumerate course IDs and retrieve detailed curriculum information for private, draft, scheduled, or password-protected courses. This flaw permits the disclosure of sensitive educational content, potentially violating privacy, leaking proprietary curriculum, and compromising intellectual property rights.
Affected Systems
The vulnerability affects the Academy LMS – WordPress LMS Plugin for Complete eLearning Solution, developed by kodezen, in all versions up to and including 3.8.1. Sites running any of these versions and exposing the REST API are susceptible.
Risk and Exploitability
With a CVSS base score of 5.3, the vulnerability is considered moderate in severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Exploitation requires only unauthenticated HTTP GET requests to the vulnerable REST endpoint, making it straightforward for attackers to enumerate and retrieve private course data without traditional privilege escalation. The attack vector is network‑based, relying on the publicly accessible REST API.
OpenCVE Enrichment