top of page
perceptive_background_267k.jpg

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all ve…

Published:

20 januari 2026 om 23:00:00

Alert date:

21 januari 2026 om 03:01:08

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Identity & Access

The Academy LMS WordPress plugin is vulnerable to privilege escalation via account takeover in versions up to 3.5.0. The vulnerability stems from improper user identity validation before password updates and reliance on publicly-exposed nonces for authorization. Unauthenticated attackers can exploit this to change arbitrary user passwords, including administrators, and gain unauthorized access to accounts.

Technical details

Mitigation steps:

Affected products:

Academy LMS WordPress Plugin

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2025-15521
https://plugins.trac.wordpress.org/browser/academy/tags/3.5.0/includes/functions.php#L1581
https://www.wordfence.com/threat-intel/vulnerabilities/id/6687ebbe-fdf4-4ecb-bf59-034bb4b0104c?source=cve

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page